[PATCH][SECURITY] Restrict ntp_signd directory to 0750 permissions in Samba 4.0 AD server
abartlet at samba.org
Sun Nov 11 06:30:14 MST 2012
It has been mentioned to me in discussions on IRC with 'Devastator' that
I made an error when I initially set up the ntp_signd directory
I wanted to restrict it, like the winbind privileged pipe, but at the
moment the directory is created mode 0755.
The implication is that another user on the system could sign NTP
packets using the socket, and could also obtain MD5(unicodePwd) values
for the entire domain (to then run a offline attack on).
As such, this is serious, even if we have generally recommended not
sharing the AD DC with other roles where possible.
The issue I have is that while the patch is simple, it is quite late
here, and I need a site with working NTP to verify that this all still
works, so we can get a bug filed and acked for tomorrows RC release
We don't do security releases for pre-release code, but I want to get
this out as soon as practical.
Existing installs will need to change permissions on the NTP socket, as
indicated in the commit message.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1596 bytes
Desc: not available
More information about the samba-technical