next up previous contents
Up: Security Considerations Previous: Unix setuid Operation   Contents


Changing Database File Permissions

Because passwords are stored in unencrypted form, administrators concerned about password security should use standard operating system mechanisms to restrict read access to the CoffeeLink News Server database to only the account that the server is run under. The database is stored in a sub-directory named database in the installation directory. All of the files in the database directory must be accessible for both read and write access to the account that the CLNews server is run under. Other accounts (i.e. those of the people who read and post to news groups) do not need read access to the CLNews database.

The exact mechanism for restricting access to the files depends on the operating system. On Unix systems, the file permissions on the database directory should be set (using chmod) to 700 (i.e. owner read, write, and execute all others no access) and the permissions on the database files should be set to 600 (i.e. owner read and write all others no access). The installation directory and all files and subdirectories under it should be owned by the account that executes the CLNews server.

For example, if the server will be executed by the nobody account and the server was installed in /usr/local/CoffeeLinkNews, the following steps will set the ownerships and file permissions appropriately on most Unix systems:

$ chown -R nobody /usr/local/CoffeeLinkNews
$ chmod 700 /usr/local/CoffeeLinkNews/database
$ chmod 600 /usr/local/CoffeeLinkNews/database/*


next up previous contents
Up: Security Considerations Previous: Unix setuid Operation   Contents
Copyright © 2000 by Burton Computer Corporation, All Rights Reserved