[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Fri Mar 28 05:38:04 MDT 2014

The branch, master has been updated
       via  a2c3479 Revert "s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600"
      from  0dd648a s4:librpc/rpc: remember "ncalrpc_dir" on the dcerpc_pipe->binding


- Log -----------------------------------------------------------------
commit a2c34798782a1e4783c258d4e1950a2150d70e18
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Mar 28 10:24:56 2014 +0100

    Revert "s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600"
    This reverts commit 05c1fe50556e2330e23b7efb38e653428b9bdadf.
    This was discussed here:
    This generated warnings like:
    invalid permissions on file
    '/memdisk/metze/W/b138235/samba/bin/ab/promoted_dc/private/tls/key.pem': has
    0600 should be 0400'.
    I think we need a better way. Maybe file_check_permissions()
    should get allow_perms and deny_perms. And we would call it
    with allow_perms = 0400 and deny_perms = 0177. And bits in none
    of them are ignored.
    For now we revert this and wait for a better fix.
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Fri Mar 28 12:37:17 CET 2014 on sn-devel-104


Summary of changes:
 source4/lib/tls/tls_tstream.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

Changeset truncated at 500 lines:

diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c
index d67f2d9..2cb75ed 100644
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -1113,17 +1113,16 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
 	if (file_exist(key_file) &&
-	    !file_check_permissions(key_file, geteuid(), 0400, &st) &&
 	    !file_check_permissions(key_file, geteuid(), 0600, &st))
 		DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n"
-			  "owner uid %u should be %u, mode %04o should be %04o or %04o\n"
+			  "owner uid %u should be %u, mode 0%o should be 0%o\n"
 			  "This is known as CVE-2013-4476.\n"
 			  "Removing all tls .pem files will cause an "
 			  "auto-regeneration with the correct permissions.\n",
 			  (unsigned int)st.st_uid, geteuid(),
-			  (unsigned int)(st.st_mode & 0777), 0400, 0600));
+			  (unsigned int)(st.st_mode & 0777), 0600));

Samba Shared Repository

More information about the samba-cvs mailing list