[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Thu Jan 30 17:28:03 MST 2014


The branch, master has been updated
       via  05c1fe5 s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600
       via  afdb715 build: Build idmap_ad by default
      from  9fb9438 selftets: durable-open.reopen4 succeeds now.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 05c1fe50556e2330e23b7efb38e653428b9bdadf
Author: Michael Brown <michael at netdirect.ca>
Date:   Wed Jan 22 03:23:12 2014 +0000

    s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=10392
    
    Signed-off-by: Michael Brown <michael at netdirect.ca>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Fri Jan 31 01:27:03 CET 2014 on sn-devel-104

commit afdb715d21feaef495685abcd9469976282b34d1
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Jan 30 11:30:05 2014 +0000

    build: Build idmap_ad by default
    
    Most other idmap modules are built by default. I don't see a reason why
    idmap_ad should be special here.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/wscript               |    1 +
 source4/lib/tls/tls_tstream.c |    5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/wscript b/source3/wscript
index 501707b..af0ed9f 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -1812,6 +1812,7 @@ main() {
 				      vfs_worm
                                       vfs_crossrename vfs_linux_xfs_sgid
                                       vfs_time_audit idmap_autorid idmap_tdb2
+                                      idmap_ad
                                       idmap_rid idmap_hash idmap_rfc2307'''))
 
     if Options.options.developer:
diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c
index 2cb75ed..d67f2d9 100644
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -1113,16 +1113,17 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
 	}
 
 	if (file_exist(key_file) &&
+	    !file_check_permissions(key_file, geteuid(), 0400, &st) &&
 	    !file_check_permissions(key_file, geteuid(), 0600, &st))
 	{
 		DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n"
-			  "owner uid %u should be %u, mode 0%o should be 0%o\n"
+			  "owner uid %u should be %u, mode %04o should be %04o or %04o\n"
 			  "This is known as CVE-2013-4476.\n"
 			  "Removing all tls .pem files will cause an "
 			  "auto-regeneration with the correct permissions.\n",
 			  key_file,
 			  (unsigned int)st.st_uid, geteuid(),
-			  (unsigned int)(st.st_mode & 0777), 0600));
+			  (unsigned int)(st.st_mode & 0777), 0400, 0600));
 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list