Revert "s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600"

Andrew Bartlett abartlet at samba.org
Fri Mar 28 14:43:39 MDT 2014


On Fri, 2014-03-28 at 12:38 +0100, Stefan Metzmacher wrote:
> The branch, master has been updated
>        via  a2c3479 Revert "s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600"
>       from  0dd648a s4:librpc/rpc: remember "ncalrpc_dir" on the dcerpc_pipe->binding
> 
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> 
> 
> - Log -----------------------------------------------------------------
> commit a2c34798782a1e4783c258d4e1950a2150d70e18
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Fri Mar 28 10:24:56 2014 +0100
> 
>     Revert "s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600"
>     
>     This reverts commit 05c1fe50556e2330e23b7efb38e653428b9bdadf.
>     
>     This was discussed here:
>     https://bugzilla.samba.org/show_bug.cgi?id=10392#c11
>     
>     This generated warnings like:
>     invalid permissions on file
>     '/memdisk/metze/W/b138235/samba/bin/ab/promoted_dc/private/tls/key.pem': has
>     0600 should be 0400'.
>     
>     I think we need a better way. Maybe file_check_permissions()
>     should get allow_perms and deny_perms. And we would call it
>     with allow_perms = 0400 and deny_perms = 0177. And bits in none
>     of them are ignored.
>     
>     For now we revert this and wait for a better fix.
>     
>     Signed-off-by: Stefan Metzmacher <metze at samba.org>
>     Reviewed-by: Andrew Bartlett <abartlet at samba.org>
>     
>     Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
>     Autobuild-Date(master): Fri Mar 28 12:37:17 CET 2014 on sn-devel-104

Thanks for handling this. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list