CVE-2013-4476: selftest/Samba4: use umask 0077 within mk_keyblobs()

We should generate private keys with 0600.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234

Pair-Programmed-With: Björn Baumbach <bb@sernet.de>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 646ac73061076bd815e3ecbb675f24be3e857207..96d1657ea8f0075c5bccbca3b4b807212ba1f846 100644 (file)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -258,7 +258,9 @@ sub mk_keyblobs($$)
        my $admincertfile = "$tlsdir/admincert.pem";
        my $admincertupnfile = "$tlsdir/admincertupn.pem";
 
-       mkdir($tlsdir, 0777);
+       mkdir($tlsdir, 0700);
+       my $oldumask = umask;
+       umask 0077;
 
        #This is specified here to avoid draining entropy on every run
        open(DHFILE, ">$dhfile");
@@ -449,6 +451,8 @@ Zd7J9s//rNFNa7waklFkDaY56+QWTFtdvxfE+KoHaqt6X8u6pqi7p3M4wDKQox+9Dx8yWFyq
 Wfz/8alZ5aMezCQzXJyIaJsCLeKABosSwHcpAFmxlQ==
 -----END CERTIFICATE-----
 EOF
+
+       umask $oldumask;
 }
 
 sub provision_raw_prepare($$$$$$$$$$)