From 02a00c78cfae37e18c613d606ef24b92df927dc3 Mon Sep 17 00:00:00 2001 From: Thien-Thi Nguyen Date: Mon, 11 Jan 2021 00:18:27 -0500 Subject: add subsection "Socket permission details" This reflects the result of an email discussion between FD and CG. --- design-documents/010-exchange-helpers.rst | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'design-documents') diff --git a/design-documents/010-exchange-helpers.rst b/design-documents/010-exchange-helpers.rst index a2999487..a304d8ec 100644 --- a/design-documents/010-exchange-helpers.rst +++ b/design-documents/010-exchange-helpers.rst @@ -42,6 +42,12 @@ running under a different user ID (UID), creating in effect a software security module. The exchange's HTTP process will be required to interact with those helpers via a UNIX domain socket. +Socket permission details: + +* The socket will be chmod 0620 (u+rw, g+w) regardless of umask. +* That the group is the same group of the crypto helpers must + still be ensured by the operator. + General design details: * The helpers will process requests from the exchange to sign and revoke keys. -- cgit v1.2.3