[Pkg-samba-maint] Bug#873521: Bug#873521: samba: tls options not compatible with ssl-cert group
Mathieu Parent
math.parent at gmail.com
Thu Oct 5 09:32:27 UTC 2017
2017-08-28 19:48 GMT+02:00 Troy Ready <troy at troyready.com>:
[...]
> Dear Maintainer,
>
> TLS private key files are explicitly checked for permissions 0600 at
> startup[0], which precludes the use of the ssl-cert group to manage the key.
>
> This may be changed upstream at some point[1], but for now I think it'd be
> appropriate for Debian to extend the check to allow for some form of group-read
> permissions.
>
> The original reason for locking it down so strictly was CVE-2013-4476[2], which
> was reported because of world-readable permissions; group-read permissions
> wouldn't be a regression on the CVE fix.
>
> If someone was open to taking this, it should be trivial to adapt the patch
> from #10392[1] for it (happy to submit that here if it would help).
Hello,
We're not against this change, but please propose a patch upstream
first. Once it'll be merged in upstream (in the master branch), we can
backport it in the Debian package.
Regards
--
Mathieu Parent
More information about the Pkg-samba-maint
mailing list