search

ioos / ioosngdac

IOOS National Glider Data Assembly Center (V2)
https://ioos.github.io/ioosngdac/
8 stars 18 forks source link

Users can ftp files to their home directory #154

Closed kerfoot closed 1 year ago

kerfoot commented 3 years ago

Just found this out the hard way, but I was able to upload .nc files from a dataset to my data provider home directory. I'm writing a python ftp script to push files and forgot to add the dataset folder name to the upload path. But the files were transferred nonetheless. Probably should not allow this.

benjwadams commented 3 years ago

I'm not entirely clear on the issue here, but I don't see any files uploaded to /home subdirectories, and users are chrooted in the current FTP setup. I will need more clarification on what occurred here.

kerfoot commented 3 years ago

I wrote a python script to automate ftp transfers to the DAC. In the script, I forgot to set the dataset directory before I started uploading. The files were successfully transferred to my data provider home directory. This was done on dev and I deleted the files, but can re-create them if you need proof. Let me know

On Wed, Oct 21, 2020 at 3:02 PM Benjamin Adams notifications@github.com wrote:

I'm not entirely clear on the issue here, but I don't see any files uploaded to /home subdirectories, and users are chrooted in the current FTP setup. I will need more clarification on what occurred here.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ioos/ioosngdac/issues/154#issuecomment-713807689, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAVGNLIHN7YUCXP5SJIDVLDSL4V6DANCNFSM4SZYI66Q .

benjwadams commented 3 years ago

So the directory should be set to /data/submission/$username. We can disable write bit on that particular directory, only relying on the providers application to create the subdirectories. We'd likely have to have the application running as another user with write permissions so it can create the subdirectories.

kerfoot commented 1 year ago

Reopening this as a user ftp'd files to their user directory and not the deployment directory. The files were ftp'd to:

/data/data/priv_erddap/USERNAME

and not:

/data/data/priv_erddap/USERNAME/DEPLOYMENT

We need to address this

benjwadams commented 1 year ago

As far as I know, this isn't easily addressable with Linux FACLs without also disabling write permissions in the "base" FTP virtual directory. It's possible to disable write to the base directory, but then users will have to create a deployment only through the providers application.

kerfoot commented 1 year ago

Understood. I'll close this for now and we'll likely have to deal with the situation, when it comes up, by hand.