Fixed CVE-2013-3709: make the secret token file readable only for the webyast user to avoid forging the session cookie