s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600

author Michael Brown <michael@netdirect.ca>

Wed, 22 Jan 2014 03:23:12 +0000 (03:23 +0000)

committer Stefan Metzmacher <metze@samba.org>

Fri, 31 Jan 2014 00:27:03 +0000 (01:27 +0100)
author Michael Brown <michael@netdirect.ca>
Wed, 22 Jan 2014 03:23:12 +0000 (03:23 +0000)
committer Stefan Metzmacher <metze@samba.org>
Fri, 31 Jan 2014 00:27:03 +0000 (01:27 +0100)
diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c

index 2cb75edba489a5843078ec742398a527d689b707..d67f2d953e758ffca42b1dd1b4aa7cb7c23a92e6 100644 (file)
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -1113,16 +1113,17 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
         }
  
         if (file_exist(key_file) &&
+           !file_check_permissions(key_file, geteuid(), 0400, &st) &&
             !file_check_permissions(key_file, geteuid(), 0600, &st))
         {
                 DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n"
-                         "owner uid %u should be %u, mode 0%o should be 0%o\n"
+                         "owner uid %u should be %u, mode %04o should be %04o or %04o\n"
                           "This is known as CVE-2013-4476.\n"
                           "Removing all tls .pem files will cause an "
                           "auto-regeneration with the correct permissions.\n",
                           key_file,
                           (unsigned int)st.st_uid, geteuid(),
-                         (unsigned int)(st.st_mode & 0777), 0600));
+                         (unsigned int)(st.st_mode & 0777), 0400, 0600));
                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
         }
author	Michael Brown <michael@netdirect.ca>
	Wed, 22 Jan 2014 03:23:12 +0000 (03:23 +0000)
committer	Stefan Metzmacher <metze@samba.org>
	Fri, 31 Jan 2014 00:27:03 +0000 (01:27 +0100)