The branch, master has been updated via 05c1fe5 s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600 via afdb715 build: Build idmap_ad by default from 9fb9438 selftets: durable-open.reopen4 succeeds now.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 05c1fe50556e2330e23b7efb38e653428b9bdadf Author: Michael Brown <mich...@netdirect.ca> Date: Wed Jan 22 03:23:12 2014 +0000 s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600 Bug: https://bugzilla.samba.org/show_bug.cgi?id=10392 Signed-off-by: Michael Brown <mich...@netdirect.ca> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Fri Jan 31 01:27:03 CET 2014 on sn-devel-104 commit afdb715d21feaef495685abcd9469976282b34d1 Author: Volker Lendecke <v...@samba.org> Date: Thu Jan 30 11:30:05 2014 +0000 build: Build idmap_ad by default Most other idmap modules are built by default. I don't see a reason why idmap_ad should be special here. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/wscript | 1 + source4/lib/tls/tls_tstream.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/wscript b/source3/wscript index 501707b..af0ed9f 100644 --- a/source3/wscript +++ b/source3/wscript @@ -1812,6 +1812,7 @@ main() { vfs_worm vfs_crossrename vfs_linux_xfs_sgid vfs_time_audit idmap_autorid idmap_tdb2 + idmap_ad idmap_rid idmap_hash idmap_rfc2307''')) if Options.options.developer: diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c index 2cb75ed..d67f2d9 100644 --- a/source4/lib/tls/tls_tstream.c +++ b/source4/lib/tls/tls_tstream.c @@ -1113,16 +1113,17 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, } if (file_exist(key_file) && + !file_check_permissions(key_file, geteuid(), 0400, &st) && !file_check_permissions(key_file, geteuid(), 0600, &st)) { DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n" - "owner uid %u should be %u, mode 0%o should be 0%o\n" + "owner uid %u should be %u, mode %04o should be %04o or %04o\n" "This is known as CVE-2013-4476.\n" "Removing all tls .pem files will cause an " "auto-regeneration with the correct permissions.\n", key_file, (unsigned int)st.st_uid, geteuid(), - (unsigned int)(st.st_mode & 0777), 0600)); + (unsigned int)(st.st_mode & 0777), 0400, 0600)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } -- Samba Shared Repository