Simple security and file copying/moving #230
Comments
|
Hi Marcel, All files and directories are owned by the xrootd process (i.e. the uid of that process). In order to provide access control you need to enable authorization and create an authorization file as described in the documentation you have referred to. Is the issue triggered because you want to use xrootd via a FUSE mount? |
|
I made a test with some spare machines. I created the authorization file and give full permission to a user called xrootdadmin. But xrootdadmin cannot move or delete the files in /data/xrootdfs/testfolder. xrootdadmin can, however, copy the files. We have some Terabytes of data and we want to apply the security without troubles. Marcel. |
|
You can have sort of 'standard' POSIX behaviour using this plug-in: https://github.com/cern-eos/xrootd-auth-change-uid This works on Linux and makes xrootd behave like an NFS server e.g. every To use it you have to use either UNIX, KRB5 or GSI authentication. It can also be combined with the default AUTH library. Cheers Andreas. On Thu, Apr 23, 2015 at 8:19 PM, Marcel Kuriyama notifications@github.com
|
|
Andreas, How to I get/install the file libAuthChangeFsUid.so? I don't know how to use the *.cmake file. Thanks Marcel |
|
For XRootd 4.1. and Redhat6 you can download an RPM here: http://eos.cern.ch/rpms/eos-diamond/slc-6-x86_64/xrootd-auth-change-uid-0.2.0-1.x86_64.rpm Otherwise you have to get the source and compile. You probably need the 'xrootd-devel' and 'xrootd-private-devel' RPM git clone https://github.com/cern-eos/xrootd-auth-change-uid.git Cheers Andreas. On Fri, Apr 24, 2015 at 12:21 PM, Marcel Kuriyama notifications@github.com
|
|
Thanks. I will do some tests now. Marcel. |
|
Is there a 32 bits version of libAuthChangeFsUid.so? The test machines are 32 bits. Marcel |
|
I just have built them: http://eos.cern.ch/rpms/eos-diamond/slc-6-i386/xrootd-auth-change-uid-0.2.0-1.i686.rpm Cheers Andreas. On Fri, Apr 24, 2015 at 2:03 PM, Marcel Kuriyama notifications@github.com
|
|
Andreas The last rpm installed libAuthChangeFsUid.so on /usr/lib64, but the default place of a 32 bit machine is /usr/lib. May I just copy/move this file from /usr/lib64 to /usr/lib? xrootd-clustered.cfg: this specify that we use the 'unix' authentication module, additional one can be specified.sec.protocol /usr/lib unix this is the authorization fileacc.authdb /etc/xrootd/auth_file ENABLE_SECURITY_ENDMarcel |
|
Ah sorry, Cheers Andreas. On Fri, Apr 24, 2015 at 2:22 PM, Marcel Kuriyama notifications@github.com
|
|
I used the file but the xrootd didn't start. xrootd.seclib /usr/lib/libAuthChangeFsUid.so Marcel |
|
You need this: xrootd.seclib libXrdSec.so |
|
Xrootd still don't start. |
|
Can you post the log file of xrootd ... |
|
++++++ xrootd protocol initialization started. |
|
It says: Did you copy the library there? Cheers Andreas. |
|
[root@xrootserver1 ~]# ldd /usr/lib/libAuthChangeFsUid.so [root@xrootserver1 ~]# ls -l /usr/lib/libAuthchangeFsUid.so As you can see, ls command show the file in the folder |
|
Look: You have named it with lower case "change" ... Cheers Andreas. |
|
Oh, that is it! Well, it is working now. I will do some tests. Thanks. Marcel |
|
The primary tests are ok! [ Before security implementation ]: [ After security implementation ]: Thank you very much for the libAuthChangeFsUid.so suggestion. Marcel |
|
Ops, other users can move and delete the files and folders inside the johnsmith folder. But, without the libAuthChangeFsUid.so neither the owner can delete his own files or folders. |
|
Hmmm, If you create a file with "johnsmith" ... is the file owned by johnsmith? Cheers Andreas. |
|
ls -l |
|
All folders and files has ownership of xrootd user and group. |
|
Ah sorry, xrootd -Rxrootd -c /etc/xrootd/xrootd-clustered.cfg -d I have to dig out on one of my setups how to do this with the XROOTD start up script ... I will send you on Monday the instructions. Cheers Andreas. |
|
Ahh ... I found it .... and That should do it! |
|
One important comment, |
|
I made the changes and... service xrootd restart And.. no, We don´t use krb5. We rely more on LDAP authentication. |
|
Xrootd is still the owner of all files and folders. Maybe I must remove all users from the xrootd group. |
|
I have added already the root squash by default if you pick now version 0.2.1 ... http://eos.cern.ch/rpms/eos-diamond/slc-6-i386/xrootd-auth-change-uid-0.2.1-1.i686.rpm Cheers Andreas |
|
Remove user from xrootd group didn't work too. And, the last rpm file gave this error: rpm -ivh xrootd-auth-change-uid-0.2.1-1.i686.rpm |
|
Solved last problem: rpm -ivh xrootd-auth-change-uid-0.2.1-1.i686.rpm Restarted xrootd service, but still with permission problems. Maybe the 64 bit version is good. But I cannot install it because the machines are in use and I don't want to mess with them. |
|
I don't know the reason for that but maybe you are better of using the In your auth db you can just define rules by users like: every use has a private directoryu foo /data/foo/ a all the xrootd group members share read permissiong xrootd /data/ r and that should give exactly the behaviour you were describing ... But maybe I don't understand fully your use case. You want to change files Cheers Andreas. On Fri, Apr 24, 2015 at 9:26 PM, Marcel Kuriyama notifications@github.com
|
|
I just want that each user has full controll only on its own folder and files. Marcel. |
|
Hi Marcel, Is this still an issue for you? If not, I will close this ticket. Andy |
|
I am closing this ticket as we have not heard of any additional problems regarding this issue. |
I want to apply the Simple (Unix) Security on my xrootd installation:
https://twiki.grid.iu.edu/bin/view/Documentation/Release3/InstallXrootd#Security_Option_1_Adding_Simple
But the users created folders that is not their username.
For example: the user johnsmith created a folder /data/xrootdfs/testfolder and copied some files to that folder.
If I apply the security the user johnsmith will not have access to that folder or files.
Questions: can the user create a folder with his username (/data/xrootdfs/johnsmith) and move the folder testfolder to it and preserve the ownership?
He can just use the 'mv' command?
Or he must copy the folder and just delete the original one?
Thanks in advance
Marcel
The text was updated successfully, but these errors were encountered: