Samba4 broken since Upgrade 4.0.6 to 4.0.14

Marc Muehlfeld samba at marc-muehlfeld.de
Wed Jan 29 13:40:19 MST 2014


Am 29.01.2014 20:36, schrieb Andrew Bartlett:
>> Check your Samba logs for (this will appear in your log.%m, if you hit
>> this):
>> [2014/01/29 20:19:14.836873,  0, pid=4311]
>> ../lib/util/util.c:161(file_check_permissions)
>>     invalid permissions on file '/usr/local/samba/private/tls/key.pem':
>> has 0644 should be 0600
>> [2014/01/29 20:19:14.843206,  0, pid=4311]
>> ../source4/lib/tls/tls_tstream.c:1125(tstream_tls_params_server)
>>     Invalid permissions on TLS private key file
>> '/usr/local/samba/private/tls/key.pem':
>>     owner uid 0 should be 0, mode 0644 should be 0600
>>     This is known as CVE-2013-4476.
>>     Removing all tls .pem files will cause an auto-regeneration with the
>> correct permissions.
>>
>>
>> And to fix it, simply set the mode of your key.pem to 600 and restart Samba.
>
> NO.  NO.  NO.  To fix it, read the message above, that's why we printed
> it.  Remove the .pem files and let Samba re-generate them, as they have
> been exposed!


Yes, you are right. Sorry.


I'd misinterpreted the message that I had the choice:
   Option 1: Change the mode to 600.
   Option 2: Let the files re-create with correct permissions.


Maybe the message could be bit more explicit, like:
 > It it highly recommended to remove all tls .pem files, as they have
 > been exposed! This will cause an auto-regeneration with the correct
 > permissions.


This could prevent misinterpretation.



Regards,
Marc





More information about the samba-technical mailing list