From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Oct 2013 13:48:36 +0000 (+0100)
Subject: CVE-2013-4476: selftest/Samba4: use umask 0077 within mk_keyblobs()
X-Git-Tag: tevent-0.9.20~406
X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=cf29fb2

CVE-2013-4476: selftest/Samba4: use umask 0077 within mk_keyblobs()

We should generate private keys with 0600.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234

Pair-Programmed-With: Björn Baumbach <bb@sernet.de>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 646ac730610..96d1657ea8f 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -258,7 +258,9 @@ sub mk_keyblobs($$)
 	my $admincertfile = "$tlsdir/admincert.pem";
 	my $admincertupnfile = "$tlsdir/admincertupn.pem";
 
-	mkdir($tlsdir, 0777);
+	mkdir($tlsdir, 0700);
+	my $oldumask = umask;
+	umask 0077;
 
 	#This is specified here to avoid draining entropy on every run
 	open(DHFILE, ">$dhfile");
@@ -449,6 +451,8 @@ Zd7J9s//rNFNa7waklFkDaY56+QWTFtdvxfE+KoHaqt6X8u6pqi7p3M4wDKQox+9Dx8yWFyq
 Wfz/8alZ5aMezCQzXJyIaJsCLeKABosSwHcpAFmxlQ==
 -----END CERTIFICATE-----
 EOF
+
+	umask $oldumask;
 }
 
 sub provision_raw_prepare($$$$$$$$$$)