[Pkg-samba-maint] [samba] 07/13: Add check in init script for key file permission
Steve Langasek
vorlon at debian.org
Sat Nov 23 19:48:56 UTC 2013
On Sat, Nov 23, 2013 at 07:09:49AM +0000, Ivo De Decker wrote:
> + KEYPERMS=`stat -c %a $KEYFILE`
> + if [ "$KEYPERMS" != "600" ]
> + then
> + echo "wrong permission on $KEYFILE, must be 600"
> + echo "samba will not start (CVE-2013-4475)"
> + echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions."
> + exit 1
What exactly is this guarding against? The samba postinst is already fixing
the permissions, and the bug in samba that would cause wrong permissions is
fixed; and AIUI, new versions of samba will also fail to start if the
permissions are wrong. So why add this extra check in the init script?
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20131123/7cdad144/attachment.sig>
More information about the Pkg-samba-maint
mailing list