diff options
| author | Björn Baumbach <bb@sernet.de> | 2013-10-29 17:53:59 +0100 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2013-11-11 13:07:16 +0100 |
| commit | 22af043d2f20760f27150d7d469c7c7b944c6b55 (patch) | |
| tree | 4c3ca4fa5379ef1cb5fb541d4df6b4d38799dc41 /source4/lib | |
| parent | e0248cde8dcd82f348218665f5edd6b30cd3ef1f (diff) | |
| download | samba-22af043d2f20760f27150d7d469c7c7b944c6b55.tar.gz samba-22af043d2f20760f27150d7d469c7c7b944c6b55.tar.xz samba-22af043d2f20760f27150d7d469c7c7b944c6b55.zip | |
CVE-2013-4476: s4:libtls: check for safe permissions of tls private key file (key.pem)
If the tls key is not owned by root or has not mode 0600 samba will not
start up.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Nov 11 13:07:16 CET 2013 on sn-devel-104
Diffstat (limited to 'source4/lib')
| -rw-r--r-- | source4/lib/tls/tls.c | 17 | ||||
| -rw-r--r-- | source4/lib/tls/tls_tstream.c | 16 |
2 files changed, 33 insertions, 0 deletions
diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index db6d1eb5def..9a3e6106ba0 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -22,6 +22,7 @@ */ #include "includes.h" +#include "system/filesys.h" #include "lib/events/events.h" #include "lib/socket/socket.h" #include "lib/tls/tls.h" @@ -369,6 +370,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context * { struct tls_params *params; int ret; + struct stat st; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); const char *keyfile = lpcfg_tls_keyfile(tmp_ctx, lp_ctx); const char *certfile = lpcfg_tls_certfile(tmp_ctx, lp_ctx); @@ -399,6 +401,21 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context * talloc_free(hostname); } + if (file_exist(keyfile) && + !file_check_permissions(keyfile, geteuid(), 0600, &st)) + { + DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n" + "owner uid %u should be %u, mode 0%o should be 0%o\n" + "This is known as CVE-2013-4476.\n" + "Removing all tls .pem files will cause an " + "auto-regeneration with the correct permissions.\n", + keyfile, + (unsigned int)st.st_uid, geteuid(), + (unsigned int)(st.st_mode & 0777), 0600)); + talloc_free(tmp_ctx); + return NULL; + } + ret = gnutls_global_init(); if (ret < 0) goto init_failed; diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c index 6bb68fb34c0..2cb75edba48 100644 --- a/source4/lib/tls/tls_tstream.c +++ b/source4/lib/tls/tls_tstream.c @@ -19,6 +19,7 @@ #include "includes.h" #include "system/network.h" +#include "system/filesys.h" #include "../util/tevent_unix.h" #include "../lib/tsocket/tsocket.h" #include "../lib/tsocket/tsocket_internal.h" @@ -1083,6 +1084,7 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, struct tstream_tls_params *tlsp; #if ENABLE_GNUTLS int ret; + struct stat st; if (!enabled || key_file == NULL || *key_file == 0) { tlsp = talloc_zero(mem_ctx, struct tstream_tls_params); @@ -1110,6 +1112,20 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, key_file, cert_file, ca_file); } + if (file_exist(key_file) && + !file_check_permissions(key_file, geteuid(), 0600, &st)) + { + DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n" + "owner uid %u should be %u, mode 0%o should be 0%o\n" + "This is known as CVE-2013-4476.\n" + "Removing all tls .pem files will cause an " + "auto-regeneration with the correct permissions.\n", + key_file, + (unsigned int)st.st_uid, geteuid(), + (unsigned int)(st.st_mode & 0777), 0600)); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + ret = gnutls_certificate_allocate_credentials(&tlsp->x509_cred); if (ret != GNUTLS_E_SUCCESS) { DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret))); |