Bug 9379 - [SECURITY] ntp_signd permissions are too broad
Summary: [SECURITY] ntp_signd permissions are too broad
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0.0rc4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 8622
  Show dependency treegraph
 
Reported: 2012-11-11 23:29 UTC by Andrew Bartlett
Modified: 2012-11-12 10:45 UTC (History)
0 users

See Also:


Attachments
Move the ntp socket to var/lib (1.19 KB, patch)
2012-11-11 23:29 UTC, Andrew Bartlett
abartlet: review? (jelmer)
obnox: review+
Details
Only allow group (eg ntp) access to the ntp_signd socket. (1.69 KB, patch)
2012-11-11 23:30 UTC, Andrew Bartlett
abartlet: review? (jelmer)
obnox: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2012-11-11 23:29:17 UTC
Created attachment 8180 [details]
Move the ntp socket to var/lib

The permissions on the var/run/ntp_signd socket are to broad, allowing all users on the system the ability to either spoof time, or obtain MD5(unicodePwd) for machine trust accounts.

These patches move the socket to var/lib/ntp_signd and require the administrator to chgrp it to 'ntp' if their NTP implementation runs as a non-privileged user.

(This is required because /var/run/ may be wiped each boot)
Comment 1 Andrew Bartlett 2012-11-11 23:30:31 UTC
Created attachment 8181 [details]
Only allow group (eg ntp) access to the ntp_signd socket.
Comment 2 Michael Adam 2012-11-12 07:44:04 UTC
Assigning to Karolin for v4-0-test
Comment 3 Karolin Seeger 2012-11-12 08:21:12 UTC
Pushed to autobuild-v4-0-test.
Comment 4 Andrew Bartlett 2012-11-12 08:37:48 UTC
Text for the WHATSNEW:

With this release candidate the location of the socket samba accepts connections from NTPd has changed, as has the enforced permissions.

This means the ntp.conf will need to change from (eg)

ntpsigndsocket /usr/local/samba/var/run/ntp_signd/

to

ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/

To use the socket with ntp on a system with an ntp user and group, you must run:

chgrp ntp /usr/local/samba/var/lib/ntp_signd/
Comment 5 Karolin Seeger 2012-11-12 08:50:35 UTC
(In reply to comment #4)
> Text for the WHATSNEW:
> 
> With this release candidate the location of the socket samba accepts
> connections from NTPd has changed, as has the enforced permissions.
> 
> This means the ntp.conf will need to change from (eg)
> 
> ntpsigndsocket /usr/local/samba/var/run/ntp_signd/
> 
> to
> 
> ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
> 
> To use the socket with ntp on a system with an ntp user and group, you must
> run:
> 
> chgrp ntp /usr/local/samba/var/lib/ntp_signd/

Added and pushed.
Thanks!
Comment 6 Karolin Seeger 2012-11-12 10:45:53 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks!