Yes. Other can also write to others home directory as well :). Actually
it's quite weird, sometimes user can't create the file ("Permission
Denied"). Sometimes the file can be created. But without allow_other,
none except root can access gfarm.
I agree that patching autofs to have better support for fuse would be
better. But for now, I try to follow the same scheme as vfat+autofs
where only specific user can access the directory. Could you suggest
the solution?
Thank you very much.
Osamu Tatebe wrote:
Hi Somsak,
Thanks for the great contribution! I also tried to work with autofs
once, but could not find a smart solution for that.
I have a question about allow_others. I think if it is mounted with
allow_others option, the mount directory can be accessed by anyone but
using the mounting user's privilege. In this case, Gfarm security is
not applied to. Would you make sure again whether anyone can create
files or not? I guess anyone can create files as if everyone were a
user that mounts with allow_others.
I think it is better to work with autofs such that autofs can utilize
fuse (i.e., mounting in userspace) instead of switching a user before
every Gfarm function call. It should be easier, much secure and also
smarter, I think. How do you think?
Thanks,
Osamu
On Fri, 08 Sep 2006 18:18:51 +0700
Somsak Sriprayoonsakul <somsak_sr@xxxxxxxxxxxxxx> wrote:
Hello,
On the course of trying to make gfarm-fuse automatic using autofs.
Since I found no documents/guide related to this topics, so I did some
patching to gfarmfs-fuse and make it works with my autofs. Attached with
this e-mail is the patch that make gfarmfs-fuse obay uid= and gid=
options of fuse. Here's my set-up
/etc/auto.master: /grid /etc/auto.grid --timeout=1200
/etc/auto.grid is the program map. Somehow the program map is not
working on compute nodes of ROCKS 4.2 so I have to switch back to file
map. Program map is better since fuse only accept numeric value of uid
and gid. Below are my program map.
/etc/auto.grid:
uid=$(id -u)
gid=$(id -g)
echo "-fstype=fuse,uid=$uid,gid=$gid,allow_other gfarmfs"
Platform: ROCKS 4.1 (RHEL4) on x86_64
Gfarm: 1.3.1 (no GSI). We're using Gfarm as Cluster file system.
Gfarmfs-fuse: 1.2.1
When user access /grid/user1, their gfarm home will be mapped to
/grid/user1/user1. This works quite well. allow_other is a must, since
fuse will consider this mount as root, but we need to allow the real
owner to access it. But only the real owner can create the file since
gfarm security is still apply.
I put seteuid/setegid wrap around every function to make gfarm
believe that it run by that user (I put some condition so only root can
do this). Will we have any other security issue with this patched? Also,
sometimes the gfarmfs is lock up. I don't sure why, but it come back to
work again when I do "killall -9 gfarmfs fusermount" :). Don't sure
whether this is the result of my seteuid/setegid patch.
Regards,
--
-----------------------------------------------------------------------------------
Somsak Sriprayoonsakul
Thai National Grid Center
Software Industry Promotion Agency
Ministry of ICT, Thailand
somsak_sr@xxxxxxxxxxxxxx
-----------------------------------------------------------------------------------
--
-----------------------------------------------------------------------------------
Somsak Sriprayoonsakul
Thai National Grid Center
Software Industry Promotion Agency
Ministry of ICT, Thailand
somsak_sr@xxxxxxxxxxxxxx
-----------------------------------------------------------------------------------
|