RW on mds+ shotfiles for "group" in linux

[rui-coelho]

Affiliation IST Lisbon

Version(s) Affected 7.96.1/intel/2020

Platform Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-693.el7.x86_64

Description At the linux cluster we are using (EUROfusion Gateway), by default every time a new shotfile is created using the mds+ backend we see that the file permissions are RW for "group" which is potentially very dangerous since any user in the same group as myself can potentially edit the file (maybe not delete it since the top folder has only r rights for group). Looking further we found that:

head $MDSPLUS_DIR/bin/SetMdsplusFileProtection
#!/bin/sh
#
# Change group of file to that of the container directory
# Change mode to allow user and group read,write and other read
chgrp $1 --reference=`dirname $1`
chmod 0664 $1

whereas i would expect 644 permissions.

Is there any strong reason why group permissions MUST be RW or can we set it to R only ? Note that the databases in question are meant to be PERSONAL db and not a shared workspace where multiple users are allowed to right on. This might also be needed but it is clearly an exception which we can/should be able to set on special occasions.