[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[gfarm-discuss:03938] Re: Gfarm + Autofs

From: Osamu Tatebe <tatebe@xxxxxxxxxxxxxxxx>
Date: Mon, 11 Sep 2006 21:50:47 -0400

Hi Somsak,

Thanks for the great contribution!  I also tried to work with autofs
once, but could not find a smart solution for that.

I have a question about allow_others.  I think if it is mounted with
allow_others option, the mount directory can be accessed by anyone but
using the mounting user's privilege.  In this case, Gfarm security is
not applied to.  Would you make sure again whether anyone can create
files or not?  I guess anyone can create files as if everyone were a
user that mounts with allow_others.

I think it is better to work with autofs such that autofs can utilize
fuse (i.e., mounting in userspace) instead of switching a user before
every Gfarm function call.  It should be easier, much secure and also
smarter, I think.  How do you think?

Thanks,
Osamu

On Fri, 08 Sep 2006 18:18:51 +0700
Somsak Sriprayoonsakul <somsak_sr@xxxxxxxxxxxxxx> wrote:

> Hello,
> 
>     On the course of trying to make gfarm-fuse automatic using autofs. 
> Since I found no documents/guide related to this topics, so I did some 
> patching to gfarmfs-fuse and make it works with my autofs. Attached with 
> this e-mail is the patch that make gfarmfs-fuse obay uid= and gid= 
> options of fuse. Here's my set-up
> 
> /etc/auto.master: /grid /etc/auto.grid   --timeout=1200
> 
>     /etc/auto.grid is the program map. Somehow the program map is not 
> working on compute nodes of ROCKS 4.2 so I have to switch back to file 
> map. Program map is better since fuse only accept numeric value of uid 
> and gid. Below are my program map.
> 
> /etc/auto.grid:
> uid=$(id -u)
> gid=$(id -g)
> echo "-fstype=fuse,uid=$uid,gid=$gid,allow_other   gfarmfs"
> 
> Platform: ROCKS 4.1 (RHEL4) on x86_64
> Gfarm: 1.3.1 (no GSI). We're using Gfarm as Cluster file system.
> Gfarmfs-fuse: 1.2.1
> 
>     When user access /grid/user1, their gfarm home will be mapped to 
> /grid/user1/user1. This works quite well. allow_other is a must, since 
> fuse will consider this mount as root, but we need to allow the real 
> owner to access it. But only the real owner can create the file since 
> gfarm security is still apply.
> 
>     I put seteuid/setegid wrap around every function to make gfarm 
> believe that it run by that user (I put some condition so only root can 
> do this). Will we have any other security issue with this patched? Also, 
> sometimes the gfarmfs is lock up. I don't sure why, but it come back to 
> work again when I do "killall -9 gfarmfs fusermount" :). Don't sure 
> whether this is the result of my seteuid/setegid patch.
> 
> Regards,
> 
> -- 
> -----------------------------------------------------------------------------------
> Somsak Sriprayoonsakul
> 
> Thai National Grid Center
> Software Industry Promotion Agency
> Ministry of ICT, Thailand
> somsak_sr@xxxxxxxxxxxxxx
> -----------------------------------------------------------------------------------
> 
>

Follow-Ups:
- [gfarm-discuss:03941] Re: Gfarm + Autofs
  - From: Somsak Sriprayoonsakul

References:
- [gfarm-discuss:03899] Gfarm + Autofs
  - From: Somsak Sriprayoonsakul

Prev by Date: [gfarm-discuss:03899] Gfarm + Autofs
Next by Date: [gfarm-discuss:03941] Re: Gfarm + Autofs
Previous by thread: [gfarm-discuss:03899] Gfarm + Autofs
Next by thread: [gfarm-discuss:03941] Re: Gfarm + Autofs
Index(es):
- Date
- Thread