[PATCH][SECURITY] Restrict ntp_signd directory to 0750 permissions in Samba 4.0 AD server

Andrew Bartlett abartlet at samba.org
Sun Nov 11 16:27:07 MST 2012 

On Sun, 2012-11-11 at 14:44 +0100, Jelmer Vernooij wrote:
> On Mon, 2012-11-12 at 00:30 +1100, Andrew Bartlett wrote:
> > It has been mentioned to me in discussions on IRC with 'Devastator' that
> > I made an error when I initially set up the ntp_signd directory
> > permissions.
> > 
> > I wanted to restrict it, like the winbind privileged pipe, but at the
> > moment the directory is created mode 0755.
> > 
> > The implication is that another user on the system could sign NTP
> > packets using the socket, and could also obtain MD5(unicodePwd) values
> > for the entire domain (to then run a offline attack on). 
> > 
> > As such, this is serious, even if we have generally recommended not
> > sharing the AD DC with other roles where possible.
> > 
> > The issue I have is that while the patch is simple, it is quite late
> > here, and I need a site with working NTP to verify that this all still
> > works, so we can get a bug filed and acked for tomorrows RC release
> > (hopefully).  
> > 
> > We don't do security releases for pre-release code, but I want to get
> > this out as soon as practical.  
> > 
> > Existing installs will need to change permissions on the NTP socket, as
> > indicated in the commit message. 
> ACK on this change in general.
> 
> Since this is such a serious issue, it would be nice to add a test to
> verify our behaviour with regard to permissions on this directory. 

I'm very happy to, a simple python test should do.

Can you ack this revised set of patches.  Because we are setting the
permissions and expecting the admin to chgrp the directory, I have to
move the socket from var/run to var/lib.

I know this is a serious change, but it is all the more important to get
this right before 4.0.

I'll file blocker bugs for 4.0 rc shortly.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-ntp_signd-Only-allow-group-access-to-the-ntp-signd-d.patch
Type: text/x-patch
Size: 1733 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121112/f7d5210a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-ntp_signd-move-socket-directory-to-var-lib-not-var-r.patch
Type: text/x-patch
Size: 1224 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121112/f7d5210a/attachment-0001.bin>

More information about the samba-technical mailing list