CVE-2013-4476: s4:libtls: check for safe permissions of tls private key file (key...

If the tls key is not owned by root or has not mode 0600 samba will not
start up.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Nov 11 13:07:16 CET 2013 on sn-devel-104

diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c
index db6d1eb5def7eda011f3d1a220e0a63ecb380eb7..9a3e6106ba021ac03cd45d8b9af7812e3bfcc6e1 100644 (file)
--- a/source4/lib/tls/tls.c
+++ b/source4/lib/tls/tls.c
@@ -22,6 +22,7 @@
 */
 
 #include "includes.h"
+#include "system/filesys.h"
 #include "lib/events/events.h"
 #include "lib/socket/socket.h"
 #include "lib/tls/tls.h"
@@ -369,6 +370,7 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *
 {
        struct tls_params *params;
        int ret;
+       struct stat st;
        TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
        const char *keyfile = lpcfg_tls_keyfile(tmp_ctx, lp_ctx);
        const char *certfile = lpcfg_tls_certfile(tmp_ctx, lp_ctx);
@@ -399,6 +401,21 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx, struct loadparm_context *
                talloc_free(hostname);
        }
 
+       if (file_exist(keyfile) &&
+           !file_check_permissions(keyfile, geteuid(), 0600, &st))
+       {
+               DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n"
+                         "owner uid %u should be %u, mode 0%o should be 0%o\n"
+                         "This is known as CVE-2013-4476.\n"
+                         "Removing all tls .pem files will cause an "
+                         "auto-regeneration with the correct permissions.\n",
+                         keyfile,
+                         (unsigned int)st.st_uid, geteuid(),
+                         (unsigned int)(st.st_mode & 0777), 0600));
+               talloc_free(tmp_ctx);
+               return NULL;
+       }
+
        ret = gnutls_global_init();
        if (ret < 0) goto init_failed;
 

diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c
index 6bb68fb34c0a9e606fec5130bf8cdbb8b9aac948..2cb75edba489a5843078ec742398a527d689b707 100644 (file)
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -19,6 +19,7 @@
 
 #include "includes.h"
 #include "system/network.h"
+#include "system/filesys.h"
 #include "../util/tevent_unix.h"
 #include "../lib/tsocket/tsocket.h"
 #include "../lib/tsocket/tsocket_internal.h"
@@ -1083,6 +1084,7 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
        struct tstream_tls_params *tlsp;
 #if ENABLE_GNUTLS
        int ret;
+       struct stat st;
 
        if (!enabled || key_file == NULL || *key_file == 0) {
                tlsp = talloc_zero(mem_ctx, struct tstream_tls_params);
@@ -1110,6 +1112,20 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx,
                                  key_file, cert_file, ca_file);
        }
 
+       if (file_exist(key_file) &&
+           !file_check_permissions(key_file, geteuid(), 0600, &st))
+       {
+               DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n"
+                         "owner uid %u should be %u, mode 0%o should be 0%o\n"
+                         "This is known as CVE-2013-4476.\n"
+                         "Removing all tls .pem files will cause an "
+                         "auto-regeneration with the correct permissions.\n",
+                         key_file,
+                         (unsigned int)st.st_uid, geteuid(),
+                         (unsigned int)(st.st_mode & 0777), 0600));
+               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+       }
+
        ret = gnutls_certificate_allocate_credentials(&tlsp->x509_cred);
        if (ret != GNUTLS_E_SUCCESS) {
                DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));