[workspace-user] umask on repository node

Tim Freeman tfreeman at mcs.anl.gov
Wed Mar 17 09:13:31 CDT 2010

On Wed, 17 Mar 2010 00:01:34 +0100
Pierre Riteau <Pierre.Riteau at irisa.fr> wrote:

> Hello,
> The cloud guide says that user umasks should be set to 0007 to allow their
> files to be modified by the account used to SSH to the repository node from
> VMMs. However, I couldn't manage to get that behavior: when I run
> globus-gridftp-server with this umask, files are created with mode 640
> (-rw-r-----). How can I configure GridFTP to get the right result? I am
> using GridFTP from Globus 4.2.1.

Looks like I messed up the docs there, sorry, added note in bugzilla to clean
that up.  GridFTP won't allow you to get a file with more "open" permissions
than 644.  Using a umask will allow you to get more restrictive though.

To get into a sane state where the hypervisor nodes can write files back to
the user's directory (the "save-as" functionality triggered by --save and
--save --newname) there are a few methods, listed here in the order of least
to most admin intervention.

Shared: put cloud users under the same unix account.  Use only if you trust
remote users to not to play URL phishing games to read/write other people's
files (i.e., use this when you most care about keeping the world at large out
altogether but expect no malicious behavior from your small user base).

Cron: run a cron job over the whole /cloud directory every ~5 seconds that
adds g+w on non-root owned files.  This is a little cheesy but it works since
in practice there will never be a race condition in that small of a window.

SCP: alter the progam called by workspace-control to be a wrapper script around
scp that (for writes) first adjusts (via sudo) the target file to g+w if it's
non-root owned.

We've been working on getting some changes into GridFTP that would actually
allow us to use it under one unix account but it would do path based pattern
matching to make sure the remote user is only reading/writing to the proper
subdirectory.  Looking forward to a solution like that since it would make the
whole setup experience a lot nicer.


> Regards.
> -- 
> Pierre Riteau -- PhD student, Myriads team, IRISA, Rennes, France
> http://perso.univ-rennes1.fr/pierre.riteau/

More information about the workspace-user mailing list