Coral Security Issues

Bill Murray bmurray at snf.stanford.edu
Fri Jun 21 17:02:40 PDT 2002


John,

I've noticed a couple of issues during my attempts to get remote coral
running on atu.  (I don't expect you to do anything about these items.
I'm just sending this as a reminder to us both to resolve them at some
point.)  First, the encrypted remote passwords stored in 
/usr/local/coral/etc/private/shadow on atu (and on platinum2 at psu)
should be created with permissions 600 instead of 644.  Although this
is not a serious problem because the private key is required to 
decrypt these passwords, this should be corrected.  If I remember 
correctly, this cannot be done from the auth manager because file
permissions vary across operating systems so there is no standard 
mechanism to do this.  I believe we handled this by setting the 
appropriate umask for the user athmgr.  For the moment, I went out
on atu and platinum2 and changed the existing password file permissions
to 600.

The second problem is serious.  When the athmgr creates the .keystore
file which contains the private key, its permissions are also set to
644.  If we correct the umask problem before running the athmgr the
first time, this problem will also be resolved.  For now, I have gone
out to atu and platinum2 and changed the .keystore permissions to 400.

Bill







More information about the coral mailing list