stanford-rc / globus.stanford.edu

globus.stanford.edu — The Globus @ Stanford web site
https://globus.stanford.edu/
Other
3 stars 4 forks source link

Intricacies of umask and GridFTP permissions #20

Closed akkornel closed 6 years ago

akkornel commented 6 years ago

Some feedback from @kamchan:

In DLSS’s environment, our users may need to access globus transferred data from different users on our globus server. You’ve addressed that in your document via groups and umasks etc. What I found was I also needed in /etc/gridftp.conf a “perm 664” line. Even though the umask was set in /etc/init.d/globus-gridftp-server (umask 002), the file permissions still didn’t give me the desired access until that perm setting is specified and after making sure that globus users belong to the same primary globus group.

Hmmmmmm, OK, that's definitely a content change.

@kamchan, is the line you set perm, or perms? Looking at http://toolkit.globus.org/toolkit/docs/latest-stable/gridftp/developer/index.html, it seems to me like the line should be perms.

Reading more into that link, I see that whatever you set with the perms command is going to be modified by the umask that GridFTP is running under. @kamchan, what were the final permissions that you were trying to get? I'm actually wondering if there would be a way to get your desired permissions, without modifying the umask, and just messing with the perms line.

Finally, could you please clarify the phrase "belong to the same primary globus group" ?

Thanks much!

kamchan commented 6 years ago

Hi Karl,

Sorry, the exact line I added to /etc/gridftp.conf is

perms 664

The final permission I was trying to get was 664, (user/group r/w and world readable). Without that, I "think" it was still getting 644 even with the umask 002 change in /etc/init.d/globus-gridftp-server.

And finally on our globus server, we created a group (globus) and I wanted to make sure that all of our individual globus users on that server have the same gid (globus) so they can cross access other globus contents on that server.

Thanks Kam.

akkornel commented 6 years ago

Hi @kamchan, would you mind checking out https://stanford-rc.github.io/globus.stanford.edu/scenarios.html and the "How do I control permissions for uploaded files?" question? I think I managed to integrate your experiences.

Let me know if anything needs to change!

kamchan commented 6 years ago

Hi @akkornel, your explanations on the file permissions look good.

Thanks Kam.