While setting up TLS: [2014/01/16 12:19:42.945796, 0] ../source4/lib/tls/tls_tstream.c:1125(tstream_tls_params_server) Invalid permissions on TLS private key file '/var/lib/samba/private/tls/star.netdirect.ca-key.pem': owner uid 0 should be 0, mode 0400 should be 0600 0400 should *also* be a valid mode for the keyfile :)
Created attachment 9608 [details] Proposed patch
Comment on attachment 9608 [details] Proposed patch Reviewed-by: Andrew Bartlett <abartlet@samba.org> Thanks. If you don't get a second reviewer here shortly, please post it to samba-technical with the above maker I'll make sure it gets in.
Comment on attachment 9608 [details] Proposed patch This doesn't apply to current master. Can you also add a Signed-off-by: line?
Created attachment 9622 [details] rebased patch - no code change rebased against master - no change
Created attachment 9623 [details] updated patch, added signed-off-by added Signed-off-by:
(In reply to comment #5) > Created attachment 9623 [details] > updated patch, added signed-off-by > > added Signed-off-by: Thanks! You're messing up tabs in the attachments, all tabs are whitespaces. It only applies with git am --ignore-space-change, then I replaces whitespaces with tabs again. I've pushed this to autobuild.
(In reply to comment #6) > You're messing up tabs in the attachments, > all tabs are whitespaces. Apologies! I was rushing it and forgot about that detail. Bad terminal copy-paster.
Created attachment 9634 [details] Patch for v4-1-test
Created attachment 9635 [details] Patch for v4-0-test
Ok, this generates this now... invalid permissions on file '/memdisk/metze/W/b138235/samba/bin/ab/promoted_dc/private/tls/key.pem': has 0600 should be 0400'. I think we need a better way. Maybe file_check_permissions() should get allow_perms and deny_perms. And we would call it with allow_perms = 0400 and deny_perms = 0177. And bits in none of them are ignored.
(In reply to comment #10) > Ok, this generates this now... > > invalid permissions on file > '/memdisk/metze/W/b138235/samba/bin/ab/promoted_dc/private/tls/key.pem': has > 0600 should be 0400'. > > I think we need a better way. Maybe file_check_permissions() > should get allow_perms and deny_perms. And we would call it > with allow_perms = 0400 and deny_perms = 0177. And bits in none > of them are ignored. I think we should revert the original patch for now, until such a patch is written, so we don't have this in 4.2.
(In reply to comment #11) Yeah, it does generate that spurious warning… I'll rework it with allowed_mask and deny_mask.
*** Bug 14149 has been marked as a duplicate of this bug. ***