File Access Restrictions for Files With Sensitive Information
Some files used by Reflection X contain information that might pose a security risk if acquired or modified by a malicious user. When files with sensitive data are created, they are given file permissions that minimize this risk. You should not change these default permissions, as doing so creates an increased security risk. Depending on how you install and configure Reflection X, you may have files that contain the following sensitive information:
-
Private keys used to authenticate a user to a remote X client host. Depending on your configuration, these files may be on your file system or stored within the Reflection X database.
-
Saved passwords. Passwords are saved to the Reflection X database. Passwords in the database are not encrypted. The security of this information is maintained by the access restrictions on the database files.
-
Reflection X Service settings identifying the nodes in a distributed Reflection X configuration, and the ports used by those nodes.
-
Private keys used by Reflection X to authenticate programs and users during session sharing and use of the Remote Session Services feature.
Log File Warnings
When a Reflection X program or service uses a file that should be configured for restricted access and the file permissions have been modified in a way that presents a potential security risk, the program or service continues to use that file, but also logs a warning to the appropriate log file. See Logging for information about where to locate log files.
For example, the following xmanager.log entry shows that the private key demokey, which was used to authenticate to an X client host, has insufficient access restrictions:
[ WARN]: Permissions incorrect for C:\Users\Joe\Documents\demokey. The permissions should be set to only allow Joe access.
Files with Access Restrictions
The files in the table below are created using the recommended access restrictions shown in the table. These permission settings should not be modified.
| Files | Location | Access Restrictions |
|---|---|---|
| Secure Shell user keys | User-defined. | Readable and writable only by the user. |
| Note: It is recommended that you put user keys in a directory that is owned by the user; however, placing keys in a shared location does not generate a warning as long as the keys themselves use the default access restrictions. | Readable and writable only by the user. | |
| Stand-alone X Manager database (on the computer running X Manager) | Windows: %UserProfile%\Documents\Micro Focus\Reflection\db\ Linux: $HOME/.microfocus/reflection/db/ | Readable and writable only by the user |
| Domain database (on the computer running the Domain Controller) | Windows: %AllUsersProfile%\.microfocus\rx\db Linux: /opt/microfocus/ReflectionX/db | Readable and writable only by administrator |
Reflection X Service configuration files: domains.xml, domain-nodes.xml, host-nodes.xml | Windows: %AllUsersProfile%\.microfocus\rx\conf Linux: <rx_installation_directory>/conf | Writable only by administrator |
| Reflection X Service identity files: | Windows: %AllUsersProfile%\.microfocus\rx\identity Linux: <rx_installation_directory>/identity | Readable and writable only by administrator |
| X Manager application and user private keys (not user-generated; these are used by X Manager for session sharing): | Windows: %UserProfile\Documents\Micro Focus\Reflection\identity Linux: $HOME/.microfocus/reflection/identity | Readable and writable only by the user |
More information