[gridftp-dev] gridftp user sandbox
Olle Mulmo
mulmo at univa.com
Thu Mar 1 01:47:22 CST 2007
[Note to list: This is not the first time someone has asked about this
type of functionality. We ought to add a sample authz callout that fixes
this once and for all.]
That still won't hinder people from writing to e.g. /tmp and other
"public areas" though.
Short of putting the whole globus installation tree under /sandbox
and starting the gridftp server chrooted, I think the only other
"safe" option is to write an authorization callout plugin that
explicitly denies any file operation outside of some particular
directory tree (such as /sandbox or /sandbox/${username}).
This is actually quite easy to do - the only problem is to find
all the related information:
http://www.globus.org/api/c-globus-4.0/globus_authz/html/index.html#_top
http://www.globus.org/toolkit/docs/4.0/security/prewsaa/Pre_WS_AA_Public_Int
erfaces.html#prewsaa-env-gsiauthz
Code-wise, you can start off by modifying the code under
source-trees/gsi/authz_null_callout/source/, which you will find in
your distribution. Then create a gsi-authz.conf file in which you
point to by setting GSI_AUTHZ_CONF before starting the gridftp server.
While a different authz plugin is used on the page below, it lists how
GridFTP commands, such as RETR or STOR, get mapped into the operation
names that appear in the authz callout interface (read, write, create).
http://www.globus.org/toolkit/docs/4.0/security/cas/WS_AA_CAS_HOWTO_Setup_Gr
idFTP.html
Good luck,
/Olle
-----Original Message-----
From: owner-ccutil-dev at globus.org [mailto:owner-ccutil-dev at globus.org] On
Behalf Of John Bresnahan
Sent: Thursday, March 01, 2007 2:24 AM
To: Justin Permar
Cc: gridftp-dev at globus.org
Subject: Re: [gridftp-dev] gridftp user sandbox
One way you can accomplish this by running the server as a user (not root)
which only has access to
the files in /sandbox. Every entry in the gridmap should map to that user.
If /sandbox is that
users homedir the server will start there.
Justin Permar wrote:
> Hello,
>
>
>
> I am trying to configure gridftp so that all users are essentially in
> one "sandbox". That is, I'd like all users, after successful login, to
> start in /sandbox, for example, and not be able to get any files off the
> server except those that are in /sandbox. How do I go about that? Does
> CAS fill this need?
>
>
>
> I do see gridftp has two options: 1) -chdir, and 2) -ch-dir-to /sandbox
>
>
>
> I figure these two options are relevant but seem as mostly a convenient
> to put the user in an initial directory, but don't restrict the user's
> actions.
>
>
>
> Thanks in advance.
>
>
>
>
>
> Justin
>
>
More information about the gridftp-dev
mailing list