ntp_signd: Only allow group access to the ntp signd directory.

Existing installations running ntp as group 'ntp' will need to change
the permissions on the ntp_signd socket directory (eg
PREFIX/lib/ntp_signd or /var/lib/samba/ntp_signd)

The reason is that allowing other users on the host access to this
directory would allow them to potentially spoof time on the network,
or attack the password database with a chosen plaintext attack.

Permissions should be changed to:

ownership root:ntp (if ntp runs as gid ntp)
mode 0750 (this is what it will be created as)

If the permissions are not changed, Samba will refuse to start the
ntp_signd server, and NTP operations will not be signed.  As the error
is declared fatal, in the future, Samba may totally refused to start.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Nov 12 12:36:30 CET 2012 on sn-devel-104

diff --git a/source4/ntp_signd/ntp_signd.c b/source4/ntp_signd/ntp_signd.c
index 1de9cc30f97757467a9322335d2c97de152bfe7d..0c3899fc55bb41e18142eb99005041f3c2b9e63a 100644 (file)
--- a/source4/ntp_signd/ntp_signd.c
+++ b/source4/ntp_signd/ntp_signd.c
@@ -498,7 +498,7 @@ static void ntp_signd_task_init(struct task_server *task)
 
        const char *address;
 
-       if (!directory_create_or_exist(lpcfg_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0755)) {
+       if (!directory_create_or_exist(lpcfg_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0750)) {
                char *error = talloc_asprintf(task, "Cannot create NTP signd pipe directory: %s", 
                                              lpcfg_ntp_signd_socket_directory(task->lp_ctx));
                task_server_terminate(task,