How to Secure an SMD file?

How to Secure an SMD file?

Context

As the /opt/aerospike/smd/security.smd file stores sensitive information about user and roles, it is advisable to secure it and restrict the permissions outside of the asd process.

Method

Default permission on all SMD files allow read access to everyone. To secure the file, the permission of the /opt/aerospike/smd directory must be changed including the SMD files inside the directory:

root@011f72823081:/# ls -la /opt/aerospike/
total 40
drwxr-xr-x 1 aerospike aerospike 4096 Apr 24 13:17 .
drwxr-xr-x 1 root      root      4096 Apr 24 13:17 ..
drwxr-xr-x 2 aerospike aerospike 4096 Apr 24 13:17 bin
drwxr-xr-x 2 aerospike aerospike 4096 Nov 10  2020 data
drwxr-xr-x 2 aerospike aerospike 4096 Apr 24 13:17 doc
drwxr-xr-x 4 aerospike aerospike 4096 Apr 24 13:17 lib
drwxr-xr-x 1 aerospike aerospike 4096 Jun 22 12:26 smd   <<<<
drwxr-xr-x 3 aerospike aerospike 4096 Apr 24 13:17 usr

root@011f72823081:/# ls -la /opt/aerospike/smd/
total 20
drwxr-xr-x 1 aerospike aerospike 4096 Jun 22 12:26 .
drwxr-xr-x 1 aerospike aerospike 4096 Apr 24 13:17 ..
-rw-r--r-- 1 root      root       292 Jun 22 10:12 sindex.smd
-rw-r--r-- 1 root      root       292 Jun 22 10:12 security.smd
-rw-r--r-- 1 root      root       289 Jun 22 12:26 truncate.smd

The commands to restrict read permission on SMD files is as given below:

$cd /opt/aerospike/
$chmod 700 smd
$chmod 600 smd/security.smd  

// the same command can be used to secure other .smd files in this directory.

root@011f72823081:/# ls -la /opt/aerospike/
total 40
drwxr-xr-x 1 aerospike aerospike 4096 Apr 24 13:17 .
drwxr-xr-x 1 root      root      4096 Apr 24 13:17 ..
drwxr-xr-x 2 aerospike aerospike 4096 Apr 24 13:17 bin
drwxr-xr-x 2 aerospike aerospike 4096 Nov 10  2020 data
drwxr-xr-x 2 aerospike aerospike 4096 Apr 24 13:17 doc
drwxr-xr-x 4 aerospike aerospike 4096 Apr 24 13:17 lib
drwx------ 1 aerospike aerospike 4096 Jun 22 12:26 smd   <<<<
drwxr-xr-x 3 aerospike aerospike 4096 Apr 24 13:17 usr

root@011f72823081:/# ls -la /opt/aerospike/smd
total 20
drwx------ 1 aerospike aerospike 4096 Jun 22 12:26 .
drwxr-xr-x 1 aerospike aerospike 4096 Apr 24 13:17 ..
-rw-r--r-- 1 root      root       292 Jun 22 10:12 sindex.smd
-rw-r--r-- 1 root      root       289 Jun 22 12:26 truncate.smd
-rwx------ 1 root      root       289 Jun 22 12:26 security.smd

Notes

  • The ability to use hashed passwords from the client has been removed.
  • Refer the release notes to get the version of client (CLIENT-1485) where this was changed. For Aerospike Tools (TOOLS-1689), this is addressed in release 5.2.0

Keywords

SECURE SMD SECURITY.SMD

Timestamp

July 2021

© 2021 Copyright Aerospike, Inc. | All rights reserved. Creators of the Aerospike Database.