[Pkg-samba-maint] [samba] 07/13: Add check in init script for key file permission
Ivo De Decker
idd-guest at moszumanska.debian.org
Sat Nov 23 07:09:49 UTC 2013
This is an automated email from the git hooks/post-receive script.
idd-guest pushed a commit to branch master
in repository samba.
commit 0a6c0fb003c5eeca772bd0c3266379a74b866c82
Author: Ivo De Decker <ivo.dedecker at ugent.be>
Date: Mon Nov 11 15:28:47 2013 +0100
Add check in init script for key file permission
---
debian/changelog | 2 ++
debian/samba.samba-ad-dc.init | 15 +++++++++++++++
2 files changed, 17 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index bb40199..94f4f7f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ samba (2:4.0.11+dfsg-1) UNRELEASED; urgency=high
- CVE-2013-4476: Private key in key.pem world readable
* Move world-readable private key file on upgrade to allow
auto-regeneration.
+ * Add check in samba-ad-dc init script for wrong permission on private key
+ file that would prevent samba to start.
* Update samba-libs.lintian-overrides for moved libtorture0.
-- Ivo De Decker <ivo.dedecker at ugent.be> Sat, 02 Nov 2013 11:51:28 +0100
diff --git a/debian/samba.samba-ad-dc.init b/debian/samba.samba-ad-dc.init
index 03c5a5f..3132d2e 100644
--- a/debian/samba.samba-ad-dc.init
+++ b/debian/samba.samba-ad-dc.init
@@ -35,6 +35,21 @@ case "$1" in
if init_is_upstart; then
exit 1
fi
+
+ # CVE-2013-4475
+ KEYFILE=/var/lib/samba/private/tls/key.pem
+ if [ -e $KEYFILE ]
+ then
+ KEYPERMS=`stat -c %a $KEYFILE`
+ if [ "$KEYPERMS" != "600" ]
+ then
+ echo "wrong permission on $KEYFILE, must be 600"
+ echo "samba will not start (CVE-2013-4475)"
+ echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions."
+ exit 1
+ fi
+ fi
+
log_daemon_msg "Starting Samba AD DC daemon" "samba"
# Make sure we have our PIDDIR, even if it's on a tmpfs
install -o root -g root -m 755 -d $PIDDIR
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list