The jexec Wrapper

When you invoke the Remote Agent through SSH, the Remote Agent uses the jexec wrapper to invoke the Java Virtual Machine. This wrapper is a native executable that is owned by root and has the setuid bit set. This file has the same groupid as the user you used to install the Remote Agent and it gives execute permission to the group. Additionally, the file is stored in a directory called protect that is owned by the user you used to install the Remote Agent. The file only gives execute permission to the user that owns the Remote Agent. This prevents any other user from being able to execute the jexec wrapper.

You must ensure that the file permissions on jexec and protect are not accidentally changed at any point.

To further tighten security for jexec, make any or all of the following changes:

• The JVM executables, usually shell scripts, must be owned by root or the user that owns the application and do not give write permissions to any other users or groups. If you install the JRE with the N1 Service Provisioning System 4.1, ensure that all the files in N1SPS4.1-home/common/jre are owned by the user that owns the application and do not give write access to any other users or groups.

• The user ID of the user that owns the application must only be allowed to log in using SSH. When logging in using SSH, only public-key authentication should be allowed. The /N1SPS4.1-home/.ssh directory should not give any permissions to any other users or groups.

• The SSH server can be configured to allow only public key authentication by ensuring that the etc/sshd_config file contains the following line to disable password authentication.

  PasswordAuthentication no

• Ensure that the etc/sshd_config file does not have lines containing RhostsRSAAuthentication, as this is not allowed by default. Also ensure that RSAAuthentication, if present, is set to yes, the default.

• You can further tighten security on the Remote Agent by editing the /N1SPS4.1-home/.ssh/authorized_keys2 file and prefixing the following text to the line that contains the public key of the Master Server.

  no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

The sshd(1M) man page offers additional details.