[Pkg-samba-maint] [samba] 07/13: Add check in init script for key file permission
Ivo De Decker
ivo.dedecker at ugent.be
Sat Nov 23 23:23:42 UTC 2013
Hi Steve,
On Sat, Nov 23, 2013 at 11:48:56AM -0800, Steve Langasek wrote:
> On Sat, Nov 23, 2013 at 07:09:49AM +0000, Ivo De Decker wrote:
> > + KEYPERMS=`stat -c %a $KEYFILE`
> > + if [ "$KEYPERMS" != "600" ]
> > + then
> > + echo "wrong permission on $KEYFILE, must be 600"
> > + echo "samba will not start (CVE-2013-4475)"
> > + echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions."
> > + exit 1
>
> What exactly is this guarding against? The samba postinst is already fixing
> the permissions, and the bug in samba that would cause wrong permissions is
> fixed; and AIUI, new versions of samba will also fail to start if the
> permissions are wrong. So why add this extra check in the init script?
Samba silently fails, and you have to look hard to find out why. This check
is meant to give the user an error which is actually visible.
Cheers,
Ivo
More information about the Pkg-samba-maint
mailing list