CVE-2013-4476: s4:libtls: Create tls private key file (key.pem) with mode 0600

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index 0c780ea2f30f11b249811c2c7911cfa1f3f8fcc6..8a19e0a2301307bbee8df21aff9dc41468c7df33 100644 (file)
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -152,7 +152,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 
        bufsize = sizeof(buf);
        TLSCHECK(gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &bufsize));
-       if (!file_save(keyfile, buf, bufsize)) {
+       if (!file_save_mode(keyfile, buf, bufsize, 0600)) {
                DEBUG(0,("Unable to save privatekey in %s parent dir exists ?\n", keyfile));
                goto failed;
        }