Are file permissions appropriately set for Lotus Domino configuration files on the Linux platform during installation?

Technote (FAQ)


Question

A recent advisory reports that the file permissions for certain Lotus Domino configuration files, such as notes.ini, are set incorrectly upon installation. The advisory address is as follows:
http://www.excluded.ath.cx/advisories/advisory05.txt

Answer

The behavior noted by the anonymous researcher was caused by umask settings for the Domino user account that were incorrectly configured by the user or server administrator.

By default, when installing Domino on Linux, the notes.ini file will have the permissions

-rw-r--r--

which means that only the owner has permissions to write to the file.

Domino is installed as root and the data directory has the correct permissions such that only the Domino user can write to any files/directories within the data directory. In addition, no one has execute bits on any files in the data directory. The only exception to this is for directories, which must have the execute bit set in order to be read.

Domino setup is run as the user, therefore files created during setup will be created with the umask of the Domino user. This is where the reported issue could be introduced. If the umask is set incorrectly, then it would be possible to give others read/write/execute permissions. During normal operations, any existing notes.ini file would be backed up and a new notes.ini created. This newly created file would have the umask of the user.

The Domino server also runs as the user. This is another instance in which the reported issue could manifest itself because any files created (i.e. databases) will be created with the umask of the user.

The way to remove this vulnerability is for the user to have a default umask such as 077, which removes read/write/execute for group/other from any files which are created by the Domino server running as the user. A person can tell what their default umask is by simply entering the command "umask" which will result in a 3 digit number of their umask.



Rate this page:

(0 users)Average rating

Document information


More support for:

Lotus End of Support Products
Lotus Domino Server

Software version:

6.0, 6.5

Operating system(s):

AIX, Linux, Solaris

Reference #:

1157675

Modified date:

2004-09-12

Translate my page

Machine Translation

Content navigation