Prospective security issue with the files_temp directory on RHEL

Document ID : KB000008867
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We have identified that the agent installation process on RHEL Operating System creates a "files_temp" directory and grants full access to all users on this directory.
We need to reduce that kind of exposure as much as possible. What are the recommended permission configuration allowed on this directory.

Environment:
CA Release Automation :6.4 and higher
Cause:

This folder is used by agent as temporary place holder to do some file_transfers, for example file distribution, put/get file from remote agents etc, and probably in artifact distribution too. There can be more usage of this specific folder but most prevalent one are mentioned former.

As per OS permission the permission level 777 is given for user-groups-others, The need of giving this permission to have successful execution is for the very obvious reason in case if you are trying to run an action impersonating as a user who is not part of the group this action may fail. For example some of the most obvious error we have seen with permission level 755 is

"Cannot put file on remote agent - cannot copy source [/tmp/test2/test2.txt] to temporary directory [{installation directory}/files_temp/"

Resolution:

If you are very sure that in your environment, the execution will be majorly done by user who are either owner of Agent install directory or some other user who will be part of the group owning RA installation directory, permission level on files_temp 775 will do.