CVE-2013-4476: selftest/Samba4: use umask 0077 within mk_keyblobs()

We should generate private keys with 0600.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234

Pair-Programmed-With: Björn Baumbach <bb@sernet.de>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 9fd2d4045107bd6f293233d7112dbef95b1cc2c3..0e798baedd88ba9f692e4e2f4beacb48e3eb3e5e 100644 (file)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -227,7 +227,9 @@ sub mk_keyblobs($$)
        my $admincertfile = "$tlsdir/admincert.pem";
        my $admincertupnfile = "$tlsdir/admincertupn.pem";
 
-       mkdir($tlsdir, 0777);
+       mkdir($tlsdir, 0700);
+       my $oldumask = umask;
+       umask 0077;
 
        #This is specified here to avoid draining entropy on every run
        open(DHFILE, ">$dhfile");
@@ -418,6 +420,8 @@ Zd7J9s//rNFNa7waklFkDaY56+QWTFtdvxfE+KoHaqt6X8u6pqi7p3M4wDKQox+9Dx8yWFyq
 Wfz/8alZ5aMezCQzXJyIaJsCLeKABosSwHcpAFmxlQ==
 -----END CERTIFICATE-----
 EOF
+
+       umask $oldumask;
 }
 
 sub provision_raw_prepare($$$$$$$$$$)