Bug 2879 – Proxy credential is being written to disk without any permission checks on the file

Bug 2879 - Proxy credential is being written to disk without any permission checks on the file

Summary:

Proxy credential is being written to disk without any permission checks on th...

Status:	RESOLVED FIXED

Product:	RFT
Component:	RFT
Version:	3.9.5
Platform:	PC Linux

Importance:	P3 blocker
Target Milestone:	---
Assigned To:	Ravi Madduri

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2005-03-06 19:02 by Sam Meder
Modified:	2005-03-09 18:45 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Sam Meder 2005-03-06 19:02:30

RFT is currently writing the proxy credential to a file created by a call to
File.createTempFile(). No permission checking is done is this file, so it may
well be world readable. 
Now that the delegation service persists credentials RFT does not have to write
credentials to disk so code that deals with this can and should just be removed.

/Sam

------- Comment #1 From Ravi Madduri 2005-03-06 19:15:26 -------

After the file is created permissions are set on the file by :
Util.setFilePermissions(proxyLocation, 600);
So it is not world-readable

------- Comment #2 From Sam Meder 2005-03-06 19:29:54 -------

But only after the credential is already written to disk, leaving a window of
time where it is unprotected. In general, using createTempFile for creating
secure temporary files seems to be somewhat sketchy: The javadoc for this
function does not put any constraints on security aspects of temp file creation.

------- Comment #3 From Ravi Madduri 2005-03-09 18:45:32 -------

Fixed in trunk.