[Pkg-samba-maint] [samba] 07/13: Add check in init script for key file permission

Steve Langasek vorlon at debian.org
Sat Nov 23 19:48:56 UTC 2013


On Sat, Nov 23, 2013 at 07:09:49AM +0000, Ivo De Decker wrote:
> +				KEYPERMS=`stat -c %a $KEYFILE`
> +				if [ "$KEYPERMS" != "600" ]
> +				then
> +						echo "wrong permission on $KEYFILE, must be 600"
> +						echo "samba will not start (CVE-2013-4475)"
> +						echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions."
> +						exit 1

What exactly is this guarding against?  The samba postinst is already fixing
the permissions, and the bug in samba that would cause wrong permissions is
fixed; and AIUI, new versions of samba will also fail to start if the
permissions are wrong.  So why add this extra check in the init script?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20131123/7cdad144/attachment.sig>


More information about the Pkg-samba-maint mailing list