Hi Piotr.
Your analysis is correct. This is a well known problem: users belonging
to the same VO can do any kind of nasty things to each other's files. As
you probably have noticed, the /flatfiles/SE00/<VO> directories are set
775 as there is no easy way to manage this issue.
Even if we synchronized the pool account mapping between SE and CE, this
will not help much: the cert->poolaccount mapping has to be reset (by
hand :( !!!) once in while if all the pool accounts are used. If this
happens, your user A would suddently find herself mapped to, e.g.,
dteam008 and, if she did protect her files with 700, she would not be
able to access them anymore.
The only solution to this would be certificate-driven ACLs for files
and/or finer grained VOMS access control. Un bel di' vedremo...
Ciao
Emanuele
Piotr Nyczyk wrote:
> Hi,
> I am quite new in LCG (Poland joined just a few days ago) so maybe I do
> not know all the regulations in LCG, but I think I have noticed some
> security problem.
> I have noticed that gridmapdir is not shared between CE and SE of the same
> site, although storage filesystem (SE:/flatfiles/SE00) is shared by all
> WNs by default. I know that the decision of having separate gridmapdirs
> was made to avoid cross-mounts problems, but unfortunatelly it leads to
> incosistencies in certificate to UID mapping in CE and SE. What I am
> talking about is the following situation.
>
> Imagine that you have user A and user B. The following mapping can occure:
> site-X-CE:
> A -> dteam001
> B -> dteam002
> site-X-SE:
> A -> dteam002
> B -> dteam001
> And now user A stores some file "important_data.dat" on site-X-SE using
> gridftp.
> So now we have file "important_data.dat" on site-X-SE owned by dteam002
> user (look the mapping).
> OK, and meanwhile user B comes. He submits the following job to site-X-CE
> (so it goes to WN which has nfs access to storage)
> chmod 700 /flatfiles/SE00/important_data.dat
> Notice that he can do this because he is mapped as dteam002 on CE!
> And now user A wants to submit some job which uses the file, and he can't,
> because he is mapped as dteam001 on CE and the file is owned by dteam002
> without proper permissions! So the user is unable to use his own files!
> There are other even more horrible consequences (like stealing higgs
> particle from over-enjoyed-nobel-price-candidate :) etc. )
> I know that this only happens when someone (B) is very nasty, but can you
> assure that there will be no nasty people in large VO???
> On the other hand, having gridmapdirs synchronized would allowed user to
> protect his important data by putting 700 attributes on it...
> Sorry for such a long and boring stuff, but do you have any coments on
> this problem?
>
> Cheers,
> Piotr
--
/------------------- Emanuele Leonardi -------------------\
| eMail: [log in to unmask] - Tel.: +41-22-7674066 |
| IT division - Bat.31 2-012 - CERN - CH-1211 Geneva 23 |
\---------------------------------------------------------/
|