On Fri, Feb 18, 2005 at 07:17:39PM -0000 or thereabouts, Burke, S (Stephen) wrote:
> > Have you actually checked that in practice? As Steve said, the gridftp
> > server on an RB is modified in some way to do with user mapping. Like
> > him I can't remember exactly what the modification is, but it may well
> > be that the mapping is not what you think it is ...
>
> Looking on the CERN RB, /etc/group has:
Hi David,
Putting this all together the gridftp services run
as root as normall. They run as edguser when service needs access to your
files and as your self otherwise.
Two solutions have been quickly suggested here.
1. Make all job files like the proxy file and covererd up.
2. Configure ftpaccess to chdir on login thus jailing the
user.
At this time I don't think either is worth commenting on,
this is the kind of thing you have to try in practice and
then see what breaks. This is happening. Other wacky suggestions
are welcome, the above two require a code change.
Steve
>
> edguser:x:995:
> edginfo:x:999:
> sixt:x:1077:edguser
> atlas:x:1307:edguser
> alice:x:1395:edguser
> cms:x:1399:edguser
> lhcb:x:1470:edguser
> dteam:x:2688:edguser
>
> and /etc/passwd has:
>
> edguser:x:995:995:EDG User:/home/edguser:/bin/bash
> edginfo:x:999:999:EDG Info user:/home/edginfo:/bin/bash
> alice001:x:10417:1395:mapped user for group ID
> 1395:/home/alice001:/bin/bash
> alice002:x:10418:1395:mapped user for group ID
> 1395:/home/alice002:/bin/bash
> alice003:x:10420:1395:mapped user for group ID
> 1395:/home/alice003:/bin/bash
>
> [...]
>
> lhcb049:x:18416:1470:mapped user for group ID
> 1470:/home/lhcb049:/bin/bash
> lhcb050:x:18417:1470:mapped user for group ID
> 1470:/home/lhcb050:/bin/bash
> lhcbsgm:x:18945:1470:mapped user for group ID
> 1470:/home/lhcbsgm:/bin/bash
> dteamsgm:x:18946:2688:mapped user for group ID
> 2688:/home/dteamsgm:/bin/bash
> dteam001:x:18118:2688:mapped user for group ID
> 2688:/home/dteam001:/bin/bash
> dteam002:x:18119:2688:mapped user for group ID
> 2688:/home/dteam002:/bin/bash
>
> etc., i.e. the overt mapping does not put the pool accounts in group
> 995, so I guess it is the gridftp server that does it. I think I once
> knew why but the memory is escaping me at the moment ...
>
> Stephen
--
Steve Traylen
[log in to unmask]
http://www.gridpp.ac.uk/
|