summaryrefslogtreecommitdiffstats
path: root/source4/lib
diff options
context:
space:
mode:
authorMichael Brown <michael@netdirect.ca>2014-01-22 03:23:12 +0000
committerStefan Metzmacher <metze@samba.org>2014-01-31 01:27:03 +0100
commit05c1fe50556e2330e23b7efb38e653428b9bdadf (patch)
tree774a167ea638bd1beba7f13e0d525e7e916c96ab /source4/lib
parentafdb715d21feaef495685abcd9469976282b34d1 (diff)
downloadsamba-05c1fe50556e2330e23b7efb38e653428b9bdadf.tar.gz
samba-05c1fe50556e2330e23b7efb38e653428b9bdadf.tar.xz
samba-05c1fe50556e2330e23b7efb38e653428b9bdadf.zip
s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10392 Signed-off-by: Michael Brown <michael@netdirect.ca> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Jan 31 01:27:03 CET 2014 on sn-devel-104
Diffstat (limited to 'source4/lib')
-rw-r--r--source4/lib/tls/tls_tstream.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c
index 2cb75edba4..d67f2d953e 100644
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -1113,16 +1113,17 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
}
if (file_exist(key_file) &&
+ !file_check_permissions(key_file, geteuid(), 0400, &st) &&
!file_check_permissions(key_file, geteuid(), 0600, &st))
{
DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n"
- "owner uid %u should be %u, mode 0%o should be 0%o\n"
+ "owner uid %u should be %u, mode %04o should be %04o or %04o\n"
"This is known as CVE-2013-4476.\n"
"Removing all tls .pem files will cause an "
"auto-regeneration with the correct permissions.\n",
key_file,
(unsigned int)st.st_uid, geteuid(),
- (unsigned int)(st.st_mode & 0777), 0600));
+ (unsigned int)(st.st_mode & 0777), 0400, 0600));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}