FIPS Operational Environment: Difference between revisions

Jump to navigation Jump to search

FIPS Operational Environment (view source)

Revision as of 00:24, 9 June 2006

186 bytes removed ,  9 June 2006
→‎Configuring Discretionary Access Control
Line 5: Line 5:
==Configuring Discretionary Access Control==
==Configuring Discretionary Access Control==


On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files. The file mode bits can be set when the files are created.  The file mode bits can be changed with the <code>chmod</code> utility..
On Unix (including Linux and Mac OS X), discretionary access control can be configured by setting the file mode bits of the files. The file mode bits can be set when the files are created.  After the files are created, the file mode bits can be changed with the <code>chmod</code> utility.


When installing the NSS library files, the operator shall use the <code>chmod</code> utility to set the file mode bits of the NSS library files to 0644, making them readable and writable by the owner, and readable by everyone.
Below we describe how to specify the set of roles that can access each component of the NSS module.
<div class=note>'''Note''': on HP-UX, the shared libraries must be executable, so the file mode bits shall be set to 0755.</div>


The NSS module creates its database files with the 0600 permission bits, making them readable and writable by the owner only.
===Stored Cryptographic Software and Cryptographic Programs===
When installing the NSS library files, the operator shall use the <code>chmod</code> utility to set the file mode bits of the NSS library files to '''0755''', making them readable, writable, and executable by the owner; and readable and executable by everyone. For example,
  $ chmod 0755 libsoftokn3.so libfreebl3.so
In other words, all users can execute the stored cryptographic software, but only the files' owner can modify (i.e., write, replace, and delete) cryptographic programs. The file mode bits can be verified with the <code>ls</code> utility. For example,
  $ ls -l libsoftokn3.so libfreebl3.so
  -rwxr-xr-x  1 wtchang wtchang  455411 Jun  8 17:07 libfreebl3.so
  -rwxr-xr-x  1 wtchang wtchang 1052734 Jun  8 17:07 libsoftokn3.so


===Cryptographic Keys, CSPs, and Plaintext Data===
The NSS module creates its database files with the '''0600''' permission bits, making them readable and writable by the owner only.


===Audit Data===


* specify the set of roles that can execute stored cryptographic software: all users. For example, <code>"chmod a+rx libsoftokn3.so"</code>.  '''Note''': the read permission is required for the software integrity test.
The operating system enforces that audit data can only be read or modified by the root user.
* specify the set of roles that can modify (i.e., write, replace, and delete) cryptographic programs: the owner only. For example, <code>"chmod u+w libsoftokn3.so; chmod go-w libsoftokn3.so"</code>.
 
* specify the set of roles that can modify (i.e., write, replace, and delete) cryptographic data (e.g., cryptographic keys and audit data), CSPs, and plaintext data: NSS databases can only be modified by the owner.  Audit data can only be modified by the root user.
===Entry of Cryptographic Keys and CSPs===
* specify the set of roles that can read cryptographic data (e.g., cryptographic keys and audit data), CSPs, and plaintext data: NSS databases can only be read by the owner.  Audit data can only be read by the root user.
 
* specify the set of roles that can enter cryptographic keys and CSPs: '''N/A'''. NSS does not support manual entry of cryptographic keys and CSPs.
'''N/A'''. NSS does not support manual entry of cryptographic keys and CSPs.
Wtchang
canmove, Confirmed users
937

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/27473"

Navigation menu