Appendix A Understanding CiscoWorks Security
Server Security
A-4
User Guide for CiscoWorks Common Services
78-16571-01
The CiscoWorks Server relies on the security mechanisms of the NTFS
filesystem to provide access control on Windows systems. If CiscoWorks is
installed on a FAT filesystem, most security assumptions made about
controlled access to files and network management data are not valid.
Runtime
This describes the runtime activities.
•
UNIX Systems—Typically CiscoWorks back-end processes are executed
with permissions set to the user ID of the binary file.
For example, if user “Joe” owns an executable file, it will be executed by the
CiscoWorks daemon manager under the user ID of “Joe”).
The exception are files owned by the root user ID. To prevent a potentially
harmful program from being executed by the daemon manager with root
permissions, the daemon manager will execute only a limited set of
CiscoWorks programs that need root privilege.
This list is not documented to preclude any user from trying to impersonate
these programs.
All back-end processes are executed with a umask value of 027. This means
that all files created by these programs are created with permissions equal to
“rwxr-x,” with an owner and group of the user ID and group of the program
that created it. Typically this will be “casuser” and “group=casusers.”
CiscoWorks foreground processes (typically cgi-bin programs or servlets) are
executed under the control of the web server’s child processes or the servlet
engine, which all run as the user casuser.
CiscoWorks uses standard UNIX tftp and rcp services. CiscoWorks also
requires that user casuser have access to the directories that these services
read and write to.
The CiscoWorks Server must allow the user casuser to run cron and at jobs
to enable the Resource Manager Essentials Software Management
application to run image download jobs.