From 3f38a1540905581889701efa50e9cf83ea8285e3 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Wed, 22 Jan 2014 03:23:12 +0000 Subject: [PATCH] s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600 --- source4/lib/tls/tls_tstream.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c index 2cb75ed..d67f2d9 100644 --- a/source4/lib/tls/tls_tstream.c +++ b/source4/lib/tls/tls_tstream.c @@ -1113,16 +1113,17 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, } if (file_exist(key_file) && + !file_check_permissions(key_file, geteuid(), 0400, &st) && !file_check_permissions(key_file, geteuid(), 0600, &st)) { DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n" - "owner uid %u should be %u, mode 0%o should be 0%o\n" + "owner uid %u should be %u, mode %04o should be %04o or %04o\n" "This is known as CVE-2013-4476.\n" "Removing all tls .pem files will cause an " "auto-regeneration with the correct permissions.\n", key_file, (unsigned int)st.st_uid, geteuid(), - (unsigned int)(st.st_mode & 0777), 0600)); + (unsigned int)(st.st_mode & 0777), 0400, 0600)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } -- 1.7.9.5