[PATCH][SECURITY] Restrict ntp_signd directory to 0750 permissions in Samba 4.0 AD server

Jelmer Vernooij jelmer at samba.org
Sun Nov 11 06:44:33 MST 2012

On Mon, 2012-11-12 at 00:30 +1100, Andrew Bartlett wrote:
> It has been mentioned to me in discussions on IRC with 'Devastator' that
> I made an error when I initially set up the ntp_signd directory
> permissions.
> I wanted to restrict it, like the winbind privileged pipe, but at the
> moment the directory is created mode 0755.
> The implication is that another user on the system could sign NTP
> packets using the socket, and could also obtain MD5(unicodePwd) values
> for the entire domain (to then run a offline attack on). 
> As such, this is serious, even if we have generally recommended not
> sharing the AD DC with other roles where possible.
> The issue I have is that while the patch is simple, it is quite late
> here, and I need a site with working NTP to verify that this all still
> works, so we can get a bug filed and acked for tomorrows RC release
> (hopefully).  
> We don't do security releases for pre-release code, but I want to get
> this out as soon as practical.  
> Existing installs will need to change permissions on the NTP socket, as
> indicated in the commit message. 
ACK on this change in general.

Since this is such a serious issue, it would be nice to add a test to
verify our behaviour with regard to permissions on this directory. 



More information about the samba-technical mailing list