Bug 2879 - Proxy credential is being written to disk without any permission checks on the file
: Proxy credential is being written to disk without any permission checks on th...
Status: RESOLVED FIXED
: RFT
RFT
: 3.9.5
: PC Linux
: P3 blocker
: ---
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2005-03-06 19:02 by
Modified: 2005-03-09 18:45 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2005-03-06 19:02:30
RFT is currently writing the proxy credential to a file created by a call to
File.createTempFile(). No permission checking is done is this file, so it may
well be world readable. 
Now that the delegation service persists credentials RFT does not have to write
credentials to disk so code that deals with this can and should just be removed.

/Sam
------- Comment #1 From 2005-03-06 19:15:26 -------
After the file is created permissions are set on the file by :
Util.setFilePermissions(proxyLocation, 600);
So it is not world-readable
------- Comment #2 From 2005-03-06 19:29:54 -------
But only after the credential is already written to disk, leaving a window of
time where it is unprotected. In general, using createTempFile for creating
secure temporary files seems to be somewhat sketchy: The javadoc for this
function does not put any constraints on security aspects of temp file creation.
------- Comment #3 From 2005-03-09 18:45:32 -------
Fixed in trunk.