Securing parameter settings

By default, the configuration files—centrifydc.conf and centrifyda.conf—are owned by root. In most cases, therefore, the parameter settings you specify are secure because they can only be set or modified by the root user and access to the root account is tightly controlled. However, there are many parameters that allow you to specify settings in an external file. For example, the pam.allow.groups parameter allows you to specify a list of groups in an external file, then set the parameter value to use the file: keyword and the file path and file name of that external file.

If you are using an external file to configure parameter settings, you should ensure that the external file meets the following security requirements:

  • The external file is owned by root or an equivalently-protected account.
  • The external file is not group or world writable.
  • The path you specify to the external file is not a symbolic link.