[PATCH][SECURITY] Restrict ntp_signd directory to 0750 permissions in Samba 4.0 AD server
Jelmer Vernooij
jelmer at samba.org
Sun Nov 11 06:44:33 MST 2012
On Mon, 2012-11-12 at 00:30 +1100, Andrew Bartlett wrote:
> It has been mentioned to me in discussions on IRC with 'Devastator' that
> I made an error when I initially set up the ntp_signd directory
> permissions.
>
> I wanted to restrict it, like the winbind privileged pipe, but at the
> moment the directory is created mode 0755.
>
> The implication is that another user on the system could sign NTP
> packets using the socket, and could also obtain MD5(unicodePwd) values
> for the entire domain (to then run a offline attack on).
>
> As such, this is serious, even if we have generally recommended not
> sharing the AD DC with other roles where possible.
>
> The issue I have is that while the patch is simple, it is quite late
> here, and I need a site with working NTP to verify that this all still
> works, so we can get a bug filed and acked for tomorrows RC release
> (hopefully).
>
> We don't do security releases for pre-release code, but I want to get
> this out as soon as practical.
>
> Existing installs will need to change permissions on the NTP socket, as
> indicated in the commit message.
ACK on this change in general.
Since this is such a serious issue, it would be nice to add a test to
verify our behaviour with regard to permissions on this directory.
Cheers,
Jelmer
More information about the samba-technical
mailing list