info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] file rights tls key files.
68 views
Skip to first unread message
L.P.H. van Belle
Apr 15, 2016, 4:20:04 AM4/15/16
to
Hai,
Im seeing the following..
[2016/04/15 09:57:55.135038, 0] ../source4/lib/tls/tls_tstream.c:1216(tstream_tls_params_server)
Invalid permissions on TLS private key file 'server.key.pem':
owner uid 0 should be 0, mode 0440 should be 0600
This is known as CVE-2013-4476.
It there anyway to override this setting? I do need 0440 here. ( or 0400 )
0600 is not needed imo.
Greetz,
Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Im seeing the following..
[2016/04/15 09:57:55.135038, 0] ../source4/lib/tls/tls_tstream.c:1216(tstream_tls_params_server)
Invalid permissions on TLS private key file 'server.key.pem':
owner uid 0 should be 0, mode 0440 should be 0600
This is known as CVE-2013-4476.
It there anyway to override this setting? I do need 0440 here. ( or 0400 )
0600 is not needed imo.
Greetz,
Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
Apr 15, 2016, 5:10:05 AM4/15/16
to
On 15/04/16 09:09, L.P.H. van Belle wrote:
> Hai,
>
>
>
> Im seeing the following..
>
>
>
> [2016/04/15 09:57:55.135038, 0] ../source4/lib/tls/tls_tstream.c:1216(tstream_tls_params_server)
>
> Invalid permissions on TLS private key file 'server.key.pem':
>
> owner uid 0 should be 0, mode 0440 should be 0600
>
> This is known as CVE-2013-4476.
>
>
>
> It there anyway to override this setting? I do need 0440 here. ( or 0400 )
>
> 0600 is not needed imo.
>
>
Hi Louis, I don't think so, see here:
> Hai,
>
>
>
> Im seeing the following..
>
>
>
> [2016/04/15 09:57:55.135038, 0] ../source4/lib/tls/tls_tstream.c:1216(tstream_tls_params_server)
>
> Invalid permissions on TLS private key file 'server.key.pem':
>
> owner uid 0 should be 0, mode 0440 should be 0600
>
> This is known as CVE-2013-4476.
>
>
>
> It there anyway to override this setting? I do need 0440 here. ( or 0400 )
>
> 0600 is not needed imo.
>
>
https://www.samba.org/samba/security/CVE-2013-4476.html
Why do you want '-r--r-----' on the key ?
What is wrong with '-rw------' ?
Rowland
Björn JACKE
Apr 15, 2016, 5:10:06 AM4/15/16
to
On 2016-04-15 at 10:09 +0200 L.P.H. van Belle sent off:
If another service should use a SSL certificate on that server, you would give
that service another certificate then and not reuse the AD server SSL cert.
Björn
> It there anyway to override this setting? I do need 0440 here. ( or 0400 )
>
> 0600 is not needed imo.
can you say, why you need 440 here? I can't think of a valid use case for that.
>
> 0600 is not needed imo.
If another service should use a SSL certificate on that server, you would give
that service another certificate then and not reuse the AD server SSL cert.
Björn
L.P.H. van Belle
Apr 15, 2016, 5:20:04 AM4/15/16
to
Yes, i can understand what your saying.
But i have a "server" certificate, which i use for multple services.
And since some of these services "run as" other user/group i have a special group for that. So logical i set 0440 on my key file and 444 on my cert files.
And why does the key file ( any certficicate file ) a 6, 4 is sufficient.
Its just not logical make copies of the certificates thats not why i have a "server" certificate...
Im just not happy with samba "enforcing" my security settings..
So anyway to overrule this?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: b...@SerNet.DE [mailto:bja...@sernet.de] Namens Björn JACKE
> Verzonden: vrijdag 15 april 2016 10:55
> Aan: L.P.H. van Belle
> CC: sa...@lists.samba.org
> Onderwerp: Re: [Samba] file rights tls key files.
But i have a "server" certificate, which i use for multple services.
And since some of these services "run as" other user/group i have a special group for that. So logical i set 0440 on my key file and 444 on my cert files.
And why does the key file ( any certficicate file ) a 6, 4 is sufficient.
Its just not logical make copies of the certificates thats not why i have a "server" certificate...
Im just not happy with samba "enforcing" my security settings..
So anyway to overrule this?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: b...@SerNet.DE [mailto:bja...@sernet.de] Namens Björn JACKE
> Verzonden: vrijdag 15 april 2016 10:55
> Aan: L.P.H. van Belle
> CC: sa...@lists.samba.org
> Onderwerp: Re: [Samba] file rights tls key files.
>
> On 2016-04-15 at 10:09 +0200 L.P.H. van Belle sent off:
> On 2016-04-15 at 10:09 +0200 L.P.H. van Belle sent off:
> > It there anyway to override this setting? I do need 0440 here. ( or
> 0400 )
> >
> > 0600 is not needed imo.
>
> 0400 )
> >
> > 0600 is not needed imo.
>
> can you say, why you need 440 here? I can't think of a valid use case for
> that.
> If another service should use a SSL certificate on that server, you would
> give
> that service another certificate then and not reuse the AD server SSL
> cert.
>
> Björn
> that.
> If another service should use a SSL certificate on that server, you would
> give
> that service another certificate then and not reuse the AD server SSL
> cert.
>
> Björn
Reindl Harald
Apr 15, 2016, 5:20:06 AM4/15/16
to
Am 15.04.2016 um 11:02 schrieb Björn JACKE:
> On 2016-04-15 at 10:09 +0200 L.P.H. van Belle sent off:
>> It there anyway to override this setting? I do need 0440 here. ( or 0400 )
>>
>> 0600 is not needed imo.
>
> can you say, why you need 440 here? I can't think of a valid use case for that.
> If another service should use a SSL certificate on that server, you would give
> that service another certificate then and not reuse the AD server SSL cert
Rowland penny
Apr 15, 2016, 5:30:05 AM4/15/16
to
to modify the Samba code that enforces this and then recompile, do you
really want to go down that path ?
couldn't you just store the certificate in two places, point Samba at
one with the '0600' rights and everything else at the other with '0440'
rights ?
Rowland
Sketch
Apr 15, 2016, 10:10:05 AM4/15/16
to
On Fri, 15 Apr 2016, Rowland penny wrote:
> couldn't you just store the certificate in two places, point Samba at one
> with the '0600' rights and everything else at the other with '0440' rights ?
I initially tried to make the files symlinks to my server certs in
> couldn't you just store the certificate in two places, point Samba at one
> with the '0600' rights and everything else at the other with '0440' rights ?
/etc/pki/tls, but samba didn't like it (I forget if it didn't like the
file permissions, or the files being symlinks), so I ended up doing what
Roland suggests. Slightly annoying to have to manage an extra set of key
files in a special location just for Samba, but not the end of the world.
Björn JACKE
Apr 19, 2016, 2:40:03 AM4/19/16
to
On 2016-04-15 at 11:08 +0200 Reindl Harald sent off:
convenient but is a very bad idea from a security point of view. But if you
really want to do anything like that, knowingly that this is *bad*, you can
just copy the cert to some other place in the filesystem, where you also need
it.
Björn
> >can you say, why you need 440 here? I can't think of a valid use case for that.
> >If another service should use a SSL certificate on that server, you would give
> >that service another certificate then and not reuse the AD server SSL cert
>
> wildcard certificates?
using the same private/public key pair on the DC and other servers might be
> >If another service should use a SSL certificate on that server, you would give
> >that service another certificate then and not reuse the AD server SSL cert
>
> wildcard certificates?
convenient but is a very bad idea from a security point of view. But if you
really want to do anything like that, knowingly that this is *bad*, you can
just copy the cert to some other place in the filesystem, where you also need
it.
Björn
mathias dufresne
Apr 19, 2016, 4:10:04 AM4/19/16
to
https://www.samba.org/samba/security/CVE-2013-4476.html says :
"the private key for SSL/TLS encryption might be world readable".
It seems the initial issue was the key was world readable, which is
not the case in Louis.
Why Samba forces that key to be writeable when the point is it must
not be world readable?
"the private key for SSL/TLS encryption might be world readable".
It seems the initial issue was the key was world readable, which is
not the case in Louis.
Why Samba forces that key to be writeable when the point is it must
not be world readable?
0 new messages