From 34b5b36f14a023a25bf30d0b6bdd3545bd529f1b Mon Sep 17 00:00:00 2001 From: HereThereBeDragons Date: Tue, 1 Aug 2023 11:20:38 +0200 Subject: [PATCH] protected xattr --- apx-parameters.rst | 6 ++++-- cpt-details.rst | 9 +++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/apx-parameters.rst b/apx-parameters.rst index 0a81115..06e525b 100644 --- a/apx-parameters.rst +++ b/apx-parameters.rst @@ -124,13 +124,15 @@ CVMFS_TIMEOUT Timeout in seconds for HTTP requests with a prox CVMFS_TIMEOUT_DIRECT Timeout in seconds for HTTP requests without a proxy server. CVMFS_TRACEFILE If set, enables the tracer and trace file system calls to the given file. CVMFS_USE_GEOAPI Request order of Stratum 1 servers and fallback proxies via Geo-API. +CVMFS_USE_SSL_SYSTEM_CA | When connecting to an HTTPS endpoints, + | it will load the certificates provided by the system. CVMFS_USER Sets the ``gid`` and ``uid`` mount options. Don't touch or overwrite. CVMFS_USYSLOG | All messages that normally are logged to syslog are re-directed to the given file. | This file can grow up to 500kB and there is one step of log rotation. | Required for $\mu$CernVM. +CVMFS_XATTR_PRIVILEGED_GIDS Comma-separated list of (main) group IDs that are allowed to access the extended attributes listed by ``CVMFS_XATTR_PROTECTED_XATTRS``. +CVMFS_XATTR_PROTECTED_XATTRS Comma-separated list of extended attributes (full name, e.g. ``user.fqrn``) that are only accessible by ``root`` and the group IDs listed by ``CVMFS_XATTR_PRIVILEGED_GIDS``. CVMFS_WORKSPACE Set the local directory for storing special files (defaults to the cache directory). -CVMFS_USE_SSL_SYSTEM_CA | When connecting to an HTTPS endpoints, - | it will load the certificates provided by the system. =============================== ======================================================================================== diff --git a/cpt-details.rst b/cpt-details.rst index e547c8d..8bef879 100644 --- a/cpt-details.rst +++ b/cpt-details.rst @@ -790,6 +790,15 @@ cryptographic hash of the file at hand. The extended attributes are used by the ``cvmfs_config stat`` command in order to show a current overview of health and performance numbers. +Access to extended attributes can be restricted in the client config to +``root`` and users with a specific (main) ``gid`` listed by +``CVMFS_XATTR_PRIVILEGED_GIDS``. Extended attributes to which +this should apply are listed in ``CVMFS_XATTR_PROTECTED_XATTRS``. +Note that those attributes must be listed in their full name, e.g. ``user.fqrn``, +``user.rawlink`` or ``xfsroot.rawlink``. Most of the extended attributes +will have the prefix ``user.``. If uncertain, they can be looked up in the source +code of ``cvmfs/magic_xattr.cc``. + Repository Publishing ---------------------