commit 02a00c78cfae37e18c613d606ef24b92df927dc3
parent f58e345828204e96339d9b50ad650d5236706b29
Author: Thien-Thi Nguyen <ttn@gnuvola.org>
Date: Mon, 11 Jan 2021 00:18:27 -0500
add subsection "Socket permission details"
This reflects the result of an email discussion between FD and CG.
Diffstat:
1 file changed, 6 insertions(+), 0 deletions(-)
diff --git a/design-documents/010-exchange-helpers.rst b/design-documents/010-exchange-helpers.rst
@@ -42,6 +42,12 @@ running under a different user ID (UID), creating in effect a software
security module. The exchange's HTTP process will be required to interact
with those helpers via a UNIX domain socket.
+Socket permission details:
+
+* The socket will be chmod 0620 (u+rw, g+w) regardless of umask.
+* That the group is the same group of the crypto helpers must
+ still be ensured by the operator.
+
General design details:
* The helpers will process requests from the exchange to sign and revoke keys.
