From owner-svn-src-head@FreeBSD.ORG  Mon Apr  6 18:03:36 2015
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 60275B7E;
 Mon,  6 Apr 2015 18:03:36 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BA08CC4;
 Mon,  6 Apr 2015 18:03:36 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t36I3aOJ074789;
 Mon, 6 Apr 2015 18:03:36 GMT (envelope-from dteske@FreeBSD.org)
Received: (from dteske@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id t36I3ap7074788;
 Mon, 6 Apr 2015 18:03:36 GMT (envelope-from dteske@FreeBSD.org)
Message-Id: <201504061803.t36I3ap7074788@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: dteske set sender to
 dteske@FreeBSD.org using -f
From: Devin Teske <dteske@FreeBSD.org>
Date: Mon, 6 Apr 2015 18:03:36 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r281160 - head/usr.sbin/bsdinstall/scripts
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2015 18:03:36 -0000

Author: dteske
Date: Mon Apr  6 18:03:35 2015
New Revision: 281160
URL: https://svnweb.freebsd.org/changeset/base/281160

Log:
  Fix permissions on ZFS root encryption key (644 -> 600).
  
  MFC after:	3 days
  X-MFC-to:	stable/10 stable/9
  Security:	CVE-2015-1415
  Reported by:	Pierre Kim

Modified:
  head/usr.sbin/bsdinstall/scripts/zfsboot

Modified: head/usr.sbin/bsdinstall/scripts/zfsboot
==============================================================================
--- head/usr.sbin/bsdinstall/scripts/zfsboot	Mon Apr  6 17:39:36 2015	(r281159)
+++ head/usr.sbin/bsdinstall/scripts/zfsboot	Mon Apr  6 18:03:35 2015	(r281160)
@@ -1128,6 +1128,9 @@ zfs_create_boot()
 			f_eval_catch $funcname dd "$DD_WITH_OPTIONS" \
 			             /dev/random "$bootpool/$zroot_key" \
 			             "bs=4096 count=1" || return $FAILURE
+			f_eval_catch $funcname "$CHMOD_MODE" \
+			             go-wrx "$bootpool/$zroot_key" ||
+			             return $FAILURE
 		else
 			# Clean up
 			f_eval_catch $funcname zfs "$ZFS_UNMOUNT" \