Agent Spool folder is world executable

book

Article ID: 141945

calendar_today

Updated On:

Products

CA Workload Automation Agents CA Workload Automation Agent

Issue/Introduction

We find from customer, that agent SPOOL folder is world executable, on Unix/Linux servers. They have run this for auditing purpose.

Cause

The execute permission on directories allows accessing files inside the directory.

Environment

Release : 11.4

Component : CA Workload Automation System Agent

Resolution

The files in the spool folder may have world writeable permission. It can be addressed with the parameter oscomponent.defaultfile.permission.

Change the Default Permissions of the Files Created by the Agent

The spool folder has world writeable and executable permission.

# ls -ld spool
drwxrwxrwt 5 root root 4096 May  8  2019 spool

The execute permission on directories allows accessing files inside the directory. The write permission allows creating and removing entries in it.

In the scenario where the agent is started as a non-root user and the job owner is a different user, then the user-specified as job owner will not be able to access the spool folder to update the spool files.

Hence the world writeable/executable needs to be enabled on the spool folder.