Skip to content

protected xattr #201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vvolkl merged 1 commit into from
Aug 15, 2023
Merged

protected xattr #201

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions apx-parameters.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,13 +124,15 @@ CVMFS_TIMEOUT Timeout in seconds for HTTP requests with a prox
CVMFS_TIMEOUT_DIRECT Timeout in seconds for HTTP requests without a proxy server.
CVMFS_TRACEFILE If set, enables the tracer and trace file system calls to the given file.
CVMFS_USE_GEOAPI Request order of Stratum 1 servers and fallback proxies via Geo-API.
CVMFS_USE_SSL_SYSTEM_CA | When connecting to an HTTPS endpoints,
Copy link
Contributor

@vvolkl vvolkl Sep 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove "an": When connecting to HTTPS endpoints

| it will load the certificates provided by the system.
CVMFS_USER Sets the ``gid`` and ``uid`` mount options. Don't touch or overwrite.
CVMFS_USYSLOG | All messages that normally are logged to syslog are re-directed to the given file.
| This file can grow up to 500kB and there is one step of log rotation.
| Required for $\mu$CernVM.
CVMFS_XATTR_PRIVILEGED_GIDS Comma-separated list of (main) group IDs that are allowed to access the extended attributes listed by ``CVMFS_XATTR_PROTECTED_XATTRS``.
CVMFS_XATTR_PROTECTED_XATTRS Comma-separated list of extended attributes (full name, e.g. ``user.fqrn``) that are only accessible by ``root`` and the group IDs listed by ``CVMFS_XATTR_PRIVILEGED_GIDS``.
CVMFS_WORKSPACE Set the local directory for storing special files (defaults to the cache directory).
CVMFS_USE_SSL_SYSTEM_CA | When connecting to an HTTPS endpoints,
| it will load the certificates provided by the system.
=============================== ========================================================================================


Expand Down
9 changes: 9 additions & 0 deletions cpt-details.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -790,6 +790,15 @@ cryptographic hash of the file at hand. The extended attributes are used
by the ``cvmfs_config stat`` command in order to show a current overview
of health and performance numbers.

Access to extended attributes can be restricted in the client config to
``root`` and users with a specific (main) ``gid`` listed by
``CVMFS_XATTR_PRIVILEGED_GIDS``. Extended attributes to which
this should apply are listed in ``CVMFS_XATTR_PROTECTED_XATTRS``.
Note that those attributes must be listed in their full name, e.g. ``user.fqrn``,
``user.rawlink`` or ``xfsroot.rawlink``. Most of the extended attributes
will have the prefix ``user.``. If uncertain, they can be looked up in the source
code of ``cvmfs/magic_xattr.cc``.

Repository Publishing
---------------------

Expand Down