Bugzilla – Bug 2879
Proxy credential is being written to disk without any permission checks on the file
Last modified: 2005-03-09 18:45:32
You need to
before you can comment on or make changes to this bug.
RFT is currently writing the proxy credential to a file created by a call to
File.createTempFile(). No permission checking is done is this file, so it may
well be world readable.
Now that the delegation service persists credentials RFT does not have to write
credentials to disk so code that deals with this can and should just be removed.
After the file is created permissions are set on the file by :
So it is not world-readable
But only after the credential is already written to disk, leaving a window of
time where it is unprotected. In general, using createTempFile for creating
secure temporary files seems to be somewhat sketchy: The javadoc for this
function does not put any constraints on security aspects of temp file creation.
Fixed in trunk.