[Pkg-samba-maint] Bug#873521: samba: tls options not compatible with ssl-cert group

Troy Ready troy at troyready.com
Mon Aug 28 17:48:27 UTC 2017 

Package: samba
Version: 2:4.5.8+dfsg-0ubuntu0.17.04.5
Severity: normal
Tags: upstream

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Maintainer,

TLS private key files are explicitly checked for permissions 0600 at
startup[0], which precludes the use of the ssl-cert group to manage the key.

This may be changed upstream at some point[1], but for now I think it'd be
appropriate for Debian to extend the check to allow for some form of group-read
permissions.

The original reason for locking it down so strictly was CVE-2013-4476[2], which
was reported because of world-readable permissions; group-read permissions
wouldn't be a regression on the CVE fix.

If someone was open to taking this, it should be trivial to adapt the patch
from #10392[1] for it (happy to submit that here if it would help).

References:
 0 - https://anonscm.debian.org/cgit/pkg-
samba/samba.git/tree/source4/lib/tls/tls.c#n409

 1 - https://bugzilla.samba.org/show_bug.cgi?id=10392 -- this bug report
currently only seeks make the allowed permissions 0600 & 0400, but I've
requested access to their bugzilla to see about accounting for this use case as
well.

 2 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4476

- --
Thanks,
- -Troy Ready



- -- System Information:
Debian Release: stretch/sid
  APT prefers zesty-updates
  APT policy: (500, 'zesty-updates'), (500, 'zesty-security'), (500, 'zesty'), (100, 'zesty-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-32-generic (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages samba depends on:
ii  adduser              3.113+nmu3ubuntu5
ii  dpkg                 1.18.10ubuntu2
ii  init-system-helpers  1.47
ii  libbsd0              0.8.3-1
ii  libc6                2.24-9ubuntu2.2
ii  libldb1              2:1.1.27-1
ii  libpam-modules       1.1.8-3.2ubuntu2
ii  libpam-runtime       1.1.8-3.2ubuntu2
ii  libpopt0             1.16-10
ii  libpython2.7         2.7.13-2
ii  libtalloc2           2.1.8-1
ii  libtdb1              1.3.11-2
ii  libtevent0           0.9.31-1
ii  libwbclient0         2:4.5.8+dfsg-0ubuntu0.17.04.5
ii  lsb-base             9.20160110ubuntu5
ii  procps               2:3.3.12-1ubuntu2
ii  python               2.7.13-2
ii  python-dnspython     1.15.0-1+certbot~zesty+1
ii  python-samba         2:4.5.8+dfsg-0ubuntu0.17.04.5
pn  python2.7:any        <none>
pn  python:any           <none>
ii  samba-common         2:4.5.8+dfsg-0ubuntu0.17.04.5
ii  samba-common-bin     2:4.5.8+dfsg-0ubuntu0.17.04.5
ii  samba-libs           2:4.5.8+dfsg-0ubuntu0.17.04.5
ii  tdb-tools            1.3.11-2
ii  update-inetd         4.44

Versions of packages samba recommends:
ii  attr                1:2.4.47-2
ii  logrotate           3.8.7-2ubuntu3
ii  samba-dsdb-modules  2:4.5.8+dfsg-0ubuntu0.17.04.5
ii  samba-vfs-modules   2:4.5.8+dfsg-0ubuntu0.17.04.5

Versions of packages samba suggests:
pn  bind9          <none>
pn  bind9utils     <none>
pn  ctdb           <none>
pn  ldb-tools      <none>
pn  ntp | chrony   <none>
pn  smbldap-tools  <none>
ii  ufw            0.35-4
pn  winbind        <none>

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlmkV2sACgkQwvJxYGTPVWm04QCfYctf87WA5dqLDSr7RbKqtKXn
/wUAoJN6w6H8N6k0R9zLR/3cyh501OZO
=A+vl
-----END PGP SIGNATURE-----

More information about the Pkg-samba-maint mailing list