Changes

On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files. The file mode bits can be set when the files are created. The After the files are created, the file mode bits can be changed with the <code>chmod</code> utility..

When installing the NSS library files, Below we describe how to specify the operator shall use the <code>chmod</code> utility to set the file mode bits of roles that can access each component of the NSS library files to 0644, making them readable and writable by the owner, and readable by everyone.<div class=note>'''Note''': on HP-UX, the shared libraries must be executable, so the file mode bits shall be set to 0755module.</div>

The ===Stored Cryptographic Software and Cryptographic Programs===When installing the NSS module creates its database library files with , the operator shall use the <code>chmod</code> utility to set the 0600 permission file mode bitsof the NSS library files to '''0755''', making them readable , writable, and writable executable by the owner ; and readable and executable by everyone. For example, $ chmod 0755 libsoftokn3.so libfreebl3.soIn other words, all users can execute the stored cryptographic software, but onlythe files' owner can modify (i.e., write, replace, and delete) cryptographic programs. The file mode bits can be verified with the <code>ls</code> utility. For example, $ ls -l libsoftokn3.so libfreebl3.so -rwxr-xr-x 1 wtchang wtchang 455411 Jun 8 17:07 libfreebl3.so -rwxr-xr-x 1 wtchang wtchang 1052734 Jun 8 17:07 libsoftokn3.so

* specify the set of roles that can execute stored cryptographic software: all users. For example, <code>"chmod a+rx libsoftokn3.so"</code>. '''Note''': the read permission is required for the software integrity test.* specify the set of roles that can modify (i.e., write, replace, and delete) cryptographic programs: the owner only. For example, <code>"chmod u+w libsoftokn3.so; chmod go-w libsoftokn3.so"</code>.* specify the set of roles The operating system enforces that can modify (i.e., write, replace, and delete) cryptographic data (e.g., cryptographic keys and audit data), CSPs, and plaintext data: NSS databases can only be modified by the owner. Audit data can only be read or modified by the root user.* specify the set ===Entry of roles that can read cryptographic data (e.g., cryptographic keys Cryptographic Keys and audit data), CSPs, and plaintext data: NSS databases can only be read by the owner. Audit data can only be read by the root user.=== * specify the set of roles that can enter cryptographic keys and CSPs: '''N/A'''. NSS does not support manual entry of cryptographic keys and CSPs.