The Samba-Bugzilla – Attachment 9634 Details for
Bug 10392
TLS private key permissions
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v4-1-test
tmp41.diff (text/plain), 1.70 KB, created by
Stefan Metzmacher
on 2014-02-02 17:38:54 UTC
(
hide
)
Description:
Patch for v4-1-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2014-02-02 17:38:54 UTC
Size:
1.70 KB
patch
obsolete
>From 622d912c22857ebf2db6649b4cce587e6c8b6ae5 Mon Sep 17 00:00:00 2001 >From: Michael Brown <michael@netdirect.ca> >Date: Wed, 22 Jan 2014 03:23:12 +0000 >Subject: [PATCH] s4:tls_tstream: allow mode of SSL keyfile to be 0400, not > only 0600 > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=10392 > >Signed-off-by: Michael Brown <michael@netdirect.ca> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Fri Jan 31 01:27:03 CET 2014 on sn-devel-104 >(cherry picked from commit 05c1fe50556e2330e23b7efb38e653428b9bdadf) >--- > source4/lib/tls/tls_tstream.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > >diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c >index 2cb75ed..d67f2d9 100644 >--- a/source4/lib/tls/tls_tstream.c >+++ b/source4/lib/tls/tls_tstream.c >@@ -1113,16 +1113,17 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, > } > > if (file_exist(key_file) && >+ !file_check_permissions(key_file, geteuid(), 0400, &st) && > !file_check_permissions(key_file, geteuid(), 0600, &st)) > { > DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n" >- "owner uid %u should be %u, mode 0%o should be 0%o\n" >+ "owner uid %u should be %u, mode %04o should be %04o or %04o\n" > "This is known as CVE-2013-4476.\n" > "Removing all tls .pem files will cause an " > "auto-regeneration with the correct permissions.\n", > key_file, > (unsigned int)st.st_uid, geteuid(), >- (unsigned int)(st.st_mode & 0777), 0600)); >+ (unsigned int)(st.st_mode & 0777), 0400, 0600)); > return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; > } > >-- >1.7.9.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9634">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 10392
:
9608
|
9622
|
9623
|
9634
|
9635