Bug #41663
openceph-post-file creates files that are inaccessible to non-privileged users
0%
Description
Several times now I've been asked to look at data uploaded with ceph-post-file only to find it is not readable by my login. At other times it is readable and everything is fine. Whether this bug belongs in the sepia project depends where we fix it but I thought here was a good place to start anyway.
Updated by Brad Hubbard over 4 years ago
- Project changed from sepia to Ceph
- Category deleted (
Infrastructure Service)
Changed my mind. I don't think this belongs in the sepia project so plonking it here.
Updated by David Galloway over 4 years ago
- Project changed from Ceph to Infrastructure
- Assignee set to David Galloway
Can you give me an example of dirs you can and can not access?
Updated by Brad Hubbard over 4 years ago
David Galloway wrote:
Can you give me an example of dirs you can and can not access?
I'm afraid I can't any longer David since I got Dan to change perms as I needed access to those files. Dan did mention there were others with similar permissions though. The files I'm referring to were from the posts in #41618 Dan mentioned he believed the files are sftp'ed to postfile@drop.ceph.com with whatever perms are set at the client end and a quick review of the script seems to confirm that.
Updated by Dan Mick over 4 years ago
dmick@teuthology:~$ find /ceph/post/ -type f -perm 600 -ls
Updated by Dan Mick over 4 years ago
I think the issue is that the file perms are whatever they are on the source system, modified by the umask that the sshd server/user apply. There doesn't seem to be anything in the sftp client or server to legislate the permission. So I can imagine either changing ceph-post-file to do a chmod after upload, or having some kind of periodic cron to update them or something.
Updated by Brad Hubbard over 4 years ago
$ chmod 600 ceph-mgr $ bin/ceph-post-file ceph-mgr ... ceph-post-file: dcc794be-12a7-466e-96dc-4e1b5a8aec4f
On teuthology...
$ ls -l /ceph/post/dcc794be-12a7-466e-96dc-4e1b5a8aec4f_brad@rskikr2_fca1c3d8-63a2-476a-a33d-b3eddabb6326/ total 4029 -rw------- 1 teuthworker teuthworker 4124784 Sep 5 23:41 ceph-mgr -rw------- 1 teuthworker teuthworker 13 Sep 5 23:41 user
Updated by David Galloway over 4 years ago
Brad Hubbard wrote:
[...]
On teuthology...
[...]
Sooo ceph-post-file should chmod 600 before uploading? Cuz that's doable.
Updated by Brad Hubbard over 4 years ago
David Galloway wrote:
Brad Hubbard wrote:
[...]
On teuthology...
[...]Sooo ceph-post-file should
chmod 600before uploading? Cuz that's doable.
I guess you mean 644 or similar? If I were anal I might see doing that on the client as a security issue, even if making a copy first.
Updated by Laura Flores 11 months ago
- Assignee changed from David Galloway to Brad Hubbard
Hey Brad, have you still been seeing this happen?