Coral Security Issues
Bill Murray
bmurray at snf.stanford.edu
Fri Jun 21 17:02:40 PDT 2002
John,
I've noticed a couple of issues during my attempts to get remote coral
running on atu. (I don't expect you to do anything about these items.
I'm just sending this as a reminder to us both to resolve them at some
point.) First, the encrypted remote passwords stored in
/usr/local/coral/etc/private/shadow on atu (and on platinum2 at psu)
should be created with permissions 600 instead of 644. Although this
is not a serious problem because the private key is required to
decrypt these passwords, this should be corrected. If I remember
correctly, this cannot be done from the auth manager because file
permissions vary across operating systems so there is no standard
mechanism to do this. I believe we handled this by setting the
appropriate umask for the user athmgr. For the moment, I went out
on atu and platinum2 and changed the existing password file permissions
to 600.
The second problem is serious. When the athmgr creates the .keystore
file which contains the private key, its permissions are also set to
644. If we correct the umask problem before running the athmgr the
first time, this problem will also be resolved. For now, I have gone
out to atu and platinum2 and changed the .keystore permissions to 400.
Bill
More information about the coral
mailing list