Full access to files is not secure since it can happen that the attacker gets access to highly sensitive information, e.g. from application log files.
It is recommended to set file permissions according to the principle of least privilege.
Since there is no functional necessity for the files containing highly sensitive to be world-readable, the permission should be limited.
This article describes how to specify the privileges satisfying high-security requirements.
It is assumed that FIXEdge was installed according to FIXEdge installation on Linux. Step by step instruction
The guide using /home/user/B2BITS/FIXEdge as FIXEdge installation directory
Restrict access to group and other users and remove write permissions for the installation.
cd /home/user/B2BITS chmod -R u-w FIXEdge/ chmod -R go-rwx FIXEdge/
|Make sure that executable rights for executables are not affected.|
Enable write permissions for logs directories for FIXEdge and fixicc-agent:
chmod -R u+w FIXEdge/FIXEdge1/log/ chmod -R u+w FIXEdge/fixicc-agent/logs/ chmod -R u+w FIXEdge/fixicc-agent/tmp/
The minimal access rights configuration required writing access only for FIXEdge logs, fixicc-agent logs and fixicc-agent metadata ( FIXEdge/fixicc-agent/tmp/).
In case, when it is required to perform changes in configuration, e.g. to add a new session.
The following commands enable changes in the configuration:
chmod -R u+w FIXEdge/FIXEdge1/conf chmod -R u+w FIXEdge/fixicc-agent/conf
|The configuration with read-only permissions protects the system from regressions|
Make sure that permissions are set only for the current user.
ls -l FIXEdge/
The logs are created with read/write rights for groups and other users.
But logs directories still have access only for users.
the required flags for new logs files can be set via configuring file system ACL attributes or using umask tool
Creating the backup of the FIXEdge.properties file is not permitted from FIXICC due to access restriction in this case, therefore, after the session is created an error is thrown.
The session is created anyway