mdsplus icon indicating copy to clipboard operation
mdsplus copied to clipboard

Published 20 hours ago verified publisher icon MDSplus

RW on mds+ shotfiles for "group" in linux

Open rui-coelho opened this issue 1 year ago • 4 comments

Affiliation IST Lisbon

Version(s) Affected 7.96.1/intel/2020

Platform Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-693.el7.x86_64

Description At the linux cluster we are using (EUROfusion Gateway), by default every time a new shotfile is created using the mds+ backend we see that the file permissions are RW for "group" which is potentially very dangerous since any user in the same group as myself can potentially edit the file (maybe not delete it since the top folder has only r rights for group). Looking further we found that:

head $MDSPLUS_DIR/bin/SetMdsplusFileProtection
#!/bin/sh
#
# Change group of file to that of the container directory
# Change mode to allow user and group read,write and other read
chgrp $1 --reference=`dirname $1`
chmod 0664 $1

whereas i would expect 644 permissions.

Is there any strong reason why group permissions MUST be RW or can we set it to R only ? Note that the databases in question are meant to be PERSONAL db and not a shared workspace where multiple users are allowed to right on. This might also be needed but it is clearly an exception which we can/should be able to set on special occasions.

rui-coelho avatar May 10 '24 07:05 rui-coelho

mdsplus does not require special permissions on any specific group. effective read access for the reading process and write access for writing is all that is needed. you may restrict oermissions and even predefine the group of new files using atributes on the foulder. use tools like setfacl to tune ownership and umask of new files.

zack-vii avatar May 12 '24 17:05 zack-vii

Just to log it here, this is the line that decides the default permissions of a new shotid.sys file: https://github.com/MDSplus/mdsplus/blob/c60ba96b14d6be1a423e54e57a876d0d115245aa/treeshr/TreeGetSetShotId.c#L123

I'm not sure we want to change this default, I would not be surprised if there are people relying on group-write.

WhoBrokeTheBuild avatar May 30 '24 15:05 WhoBrokeTheBuild

Is the question limited to just the shotid.sys file, or does it also apply to the "trees" (<tree>_<shot>.tree, .datafile, .characterstics)? Which could also include the "model" (shot = -1) if the model is kept in the same directory as the trees and shotid.sys file.

mwinkel-dev avatar May 30 '24 16:05 mwinkel-dev

My understanding is that the final file permissions are determined by the UMASK of the user doing the create pulse and some combination of the source and destination file permissions. The script referred to in this issue is one that we used at C-Mod to get the behavior we wanted. It was invoked as part of our shot cycle.

So the question(s) is(are), who / what program(s) is doing the create pulse. What is the source file protection, what is the user's UMASK, are there ACLs on any of the files or directories.

joshStillerman avatar May 30 '24 16:05 joshStillerman

I'm going to close this as there hasn't been further input, feel free to reopen it if you have things to add.

WhoBrokeTheBuild avatar Jul 31 '24 17:07 WhoBrokeTheBuild