Samba4 broken since Upgrade 4.0.6 to 4.0.14
Christian Vielhauer
c.vielhauer at me.com
Wed Jan 29 15:28:42 MST 2014
Wow thanks for using the magic crystal ball :-)
I increase the log level more and more and the output get more unreadable.
With no log level option it appears directly in log %m. But it looks very harmless because it doesn't start with warning or error.
Because it looks like a change from older to latest version you can add a Note after make install ...successfully, or interactively remove/rename these files when they are wrong ;-)
Just an idea
A lot of thanks
Regards Chris
> Am 29.01.2014 um 21:40 schrieb Marc Muehlfeld <samba at marc-muehlfeld.de>:
>
> Am 29.01.2014 20:36, schrieb Andrew Bartlett:
>>> Check your Samba logs for (this will appear in your log.%m, if you hit
>>> this):
>>> [2014/01/29 20:19:14.836873, 0, pid=4311]
>>> ../lib/util/util.c:161(file_check_permissions)
>>> invalid permissions on file '/usr/local/samba/private/tls/key.pem':
>>> has 0644 should be 0600
>>> [2014/01/29 20:19:14.843206, 0, pid=4311]
>>> ../source4/lib/tls/tls_tstream.c:1125(tstream_tls_params_server)
>>> Invalid permissions on TLS private key file
>>> '/usr/local/samba/private/tls/key.pem':
>>> owner uid 0 should be 0, mode 0644 should be 0600
>>> This is known as CVE-2013-4476.
>>> Removing all tls .pem files will cause an auto-regeneration with the
>>> correct permissions.
>>>
>>>
>>> And to fix it, simply set the mode of your key.pem to 600 and restart Samba.
>>
>> NO. NO. NO. To fix it, read the message above, that's why we printed
>> it. Remove the .pem files and let Samba re-generate them, as they have
>> been exposed!
>
>
> Yes, you are right. Sorry.
>
>
> I'd misinterpreted the message that I had the choice:
> Option 1: Change the mode to 600.
> Option 2: Let the files re-create with correct permissions.
>
>
> Maybe the message could be bit more explicit, like:
> > It it highly recommended to remove all tls .pem files, as they have
> > been exposed! This will cause an auto-regeneration with the correct
> > permissions.
>
>
> This could prevent misinterpretation.
>
>
>
> Regards,
> Marc
>
>
>
More information about the samba-technical
mailing list