From 2ca3eae4c50316a723ca9fcf8ec766d8b40b3908 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
Date: Tue, 29 Oct 2013 17:52:39 +0100
Subject: [PATCH] CVE-2013-4476: s4:libtls: Create tls private key file
 (key.pem) with mode 0600
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source4/lib/tls/tlscert.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index 0c780ea2f30..8a19e0a2301 100644
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -152,7 +152,7 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 
 	bufsize = sizeof(buf);
 	TLSCHECK(gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &bufsize));
-	if (!file_save(keyfile, buf, bufsize)) {
+	if (!file_save_mode(keyfile, buf, bufsize, 0600)) {
 		DEBUG(0,("Unable to save privatekey in %s parent dir exists ?\n", keyfile));
 		goto failed;
 	}
-- 
2.11.4.GIT