Hai, Im seeing the following.. [2016/04/15 09:57:55.135038, 0] ../source4/lib/tls/tls_tstream.c:1216(tstream_tls_params_server) Invalid permissions on TLS private key file 'server.key.pem': owner uid 0 should be 0, mode 0440 should be 0600 This is known as CVE-2013-4476. It there anyway to override this setting? I do need 0440 here. ( or 0400 ) 0600 is not needed imo. Greetz, Louis
On 2016-04-15 at 10:09 +0200 L.P.H. van Belle sent off:> It there anyway to override this setting? I do need 0440 here. ( or 0400 ) > > 0600 is not needed imo.can you say, why you need 440 here? I can't think of a valid use case for that. If another service should use a SSL certificate on that server, you would give that service another certificate then and not reuse the AD server SSL cert. Björn
On 15/04/16 09:09, L.P.H. van Belle wrote:> Hai, > > > > Im seeing the following.. > > > > [2016/04/15 09:57:55.135038, 0] ../source4/lib/tls/tls_tstream.c:1216(tstream_tls_params_server) > > Invalid permissions on TLS private key file 'server.key.pem': > > owner uid 0 should be 0, mode 0440 should be 0600 > > This is known as CVE-2013-4476. > > > > It there anyway to override this setting? I do need 0440 here. ( or 0400 ) > > 0600 is not needed imo. > >Hi Louis, I don't think so, see here: https://www.samba.org/samba/security/CVE-2013-4476.html Why do you want '-r--r-----' on the key ? What is wrong with '-rw------' ? Rowland
Am 15.04.2016 um 11:02 schrieb Björn JACKE:> On 2016-04-15 at 10:09 +0200 L.P.H. van Belle sent off: >> It there anyway to override this setting? I do need 0440 here. ( or 0400 ) >> >> 0600 is not needed imo. > > can you say, why you need 440 here? I can't think of a valid use case for that. > If another service should use a SSL certificate on that server, you would give > that service another certificate then and not reuse the AD server SSL certwildcard certificates? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20160415/fe3dabfb/signature.sig>
Yes, i can understand what your saying. But i have a "server" certificate, which i use for multple services. And since some of these services "run as" other user/group i have a special group for that. So logical i set 0440 on my key file and 444 on my cert files. And why does the key file ( any certficicate file ) a 6, 4 is sufficient. Its just not logical make copies of the certificates thats not why i have a "server" certificate... Im just not happy with samba "enforcing" my security settings.. So anyway to overrule this? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: bj at SerNet.DE [mailto:bjacke at sernet.de] Namens Björn JACKE > Verzonden: vrijdag 15 april 2016 10:55 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] file rights tls key files. > > On 2016-04-15 at 10:09 +0200 L.P.H. van Belle sent off: > > It there anyway to override this setting? I do need 0440 here. ( or > 0400 ) > > > > 0600 is not needed imo. > > can you say, why you need 440 here? I can't think of a valid use case for > that. > If another service should use a SSL certificate on that server, you would > give > that service another certificate then and not reuse the AD server SSL > cert. > > Björn
On 15/04/16 10:12, L.P.H. van Belle wrote:> Yes, i can understand what your saying. > > But i have a "server" certificate, which i use for multple services. > And since some of these services "run as" other user/group i have a special group for that. So logical i set 0440 on my key file and 444 on my cert files. > And why does the key file ( any certficicate file ) a 6, 4 is sufficient. > > Its just not logical make copies of the certificates thats not why i have a "server" certificate... > > Im just not happy with samba "enforcing" my security settings.. > So anyway to overrule this? > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: bj at SerNet.DE [mailto:bjacke at sernet.de] Namens Björn JACKE >> Verzonden: vrijdag 15 april 2016 10:55 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] file rights tls key files. >> >> On 2016-04-15 at 10:09 +0200 L.P.H. van Belle sent off: >>> It there anyway to override this setting? I do need 0440 here. ( or >> 0400 ) >>> 0600 is not needed imo. >> can you say, why you need 440 here? I can't think of a valid use case for >> that. >> If another service should use a SSL certificate on that server, you would >> give >> that service another certificate then and not reuse the AD server SSL >> cert. >> >> Björn > >I get the distinct feeling that the only way to 'override' this would be to modify the Samba code that enforces this and then recompile, do you really want to go down that path ? couldn't you just store the certificate in two places, point Samba at one with the '0600' rights and everything else at the other with '0440' rights ? Rowland