[PATCH][SECURITY] Restrict ntp_signd directory to 0750 permissions in Samba 4.0 AD server

Andrew Bartlett abartlet at samba.org
Sun Nov 11 06:30:14 MST 2012

It has been mentioned to me in discussions on IRC with 'Devastator' that
I made an error when I initially set up the ntp_signd directory

I wanted to restrict it, like the winbind privileged pipe, but at the
moment the directory is created mode 0755.

The implication is that another user on the system could sign NTP
packets using the socket, and could also obtain MD5(unicodePwd) values
for the entire domain (to then run a offline attack on). 

As such, this is serious, even if we have generally recommended not
sharing the AD DC with other roles where possible.

The issue I have is that while the patch is simple, it is quite late
here, and I need a site with working NTP to verify that this all still
works, so we can get a bug filed and acked for tomorrows RC release

We don't do security releases for pre-release code, but I want to get
this out as soon as practical.  

Existing installs will need to change permissions on the NTP socket, as
indicated in the commit message. 

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-ntp_signd-Only-allow-group-access-to-the-ntp-signd-d.patch
Type: text/x-patch
Size: 1596 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121112/e6f5e6ee/attachment.bin>

More information about the samba-technical mailing list