NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0327:  Default file permissions for FMT_CFG_EXT.1.2

Publication Date
2018.05.23

Protection Profiles
PP_APP_v1.2

Other References
FMT_CFG_EXT.1.2

Issue Description

The purpose of the SFR and AAs is to make sure users cannot modify app data and therefore a standard user could have R-X permissions on TOE files.

Resolution

FMT_CFG_EXT.1.2 is replaced as follows:

FMT_CFG_EXT.1.2  The application shall be configured by default with file permissions which protect the application's binaries and data files from modification by normal unprivileged user.

Application Note: The precise expectations for file permissions vary per platform but the general intention is that a trust boundary protects the application and its data.

Assurance Activity

The evaluator shall install and run the application. The evaluator shall inspect the filesystem of the platform (to the extent possible) for any files created by the application and ensure that their permissions are adequate to protect them. The method of doing so varies per platform.

For BlackBerry: The evaluator shall run ls -alR|grep -E '^........w.' inside the application's data directories to ensure that all files are not world-writable. The command should not print any files. The evaluator shall also verify that no sensitive data is written to external storage which could be read/modified by any other application.

For Android: The evaluator shall run ls -alR|grep -E '^........w.' inside the application's data directories to ensure that all files are not world-writable. The command should not print any files. The evaluator shall also verify that no sensitive data is written to external storage as this data can be read/modified by any application containing the READ_EXTERNAL_STORAGE and/or WRITE_EXTERNAL_STORAGE permissions.

For Windows: The evaluator shall run the SysInternals tools, Process Monitor and Access Check (or tools of equivalent capability, like icacls.exe) for Classic Desktop applications to verify that files written to disk during an applications installation have the correct file permissions, such that a standard user cannot modify the application or its data files. For Windows Universal Applications the evaluator shall consider the requirement met because of the AppContainer sandbox.

For iOS: The evaluator shall determine whether the application leverages the appropriate Data Protection Class for each data file stored locally.

For Linux: The evaluator shall run the command find . -perm /002 inside the application's data directories to ensure that all files are not world-writable. The command should not print any files.

For Solaris: The evaluator shall run the command find . \( -perm -002 \) inside the application's data directories to ensure that all files are not world-writable. The command should not print any files.

For Mac OS X: The evaluator shall run the command find . -perm +002 inside the application's data directories to ensure that all files are not world-writable. The command should not print any files.

Justification

See issue description.

 
 
Site Map              Contact Us              Home