Bug #41663
open
ceph-post-file creates files that are inaccessible to non-privileged users
Added by Brad Hubbard over 4 years ago.
Updated 12 months ago.
Description
Several times now I've been asked to look at data uploaded with ceph-post-file only to find it is not readable by my login. At other times it is readable and everything is fine. Whether this bug belongs in the sepia project depends where we fix it but I thought here was a good place to start anyway.
- Description updated (diff)
- Project changed from sepia to Ceph
- Category deleted (
Infrastructure Service)
Changed my mind. I don't think this belongs in the sepia project so plonking it here.
- Project changed from Ceph to Infrastructure
- Assignee set to David Galloway
Can you give me an example of dirs you can and can not access?
David Galloway wrote:
Can you give me an example of dirs you can and can not access?
I'm afraid I can't any longer David since I got Dan to change perms as I needed access to those files. Dan did mention there were others with similar permissions though. The files I'm referring to were from the posts in #41618 Dan mentioned he believed the files are sftp'ed to postfile@drop.ceph.com with whatever perms are set at the client end and a quick review of the script seems to confirm that.
dmick@teuthology:~$ find /ceph/post/ -type f -perm 600 -ls
I think the issue is that the file perms are whatever they are on the source system, modified by the umask that the sshd server/user apply. There doesn't seem to be anything in the sftp client or server to legislate the permission. So I can imagine either changing ceph-post-file to do a chmod after upload, or having some kind of periodic cron to update them or something.
$ chmod 600 ceph-mgr
$ bin/ceph-post-file ceph-mgr
...
ceph-post-file: dcc794be-12a7-466e-96dc-4e1b5a8aec4f
On teuthology...
$ ls -l /ceph/post/dcc794be-12a7-466e-96dc-4e1b5a8aec4f_brad@rskikr2_fca1c3d8-63a2-476a-a33d-b3eddabb6326/
total 4029
-rw------- 1 teuthworker teuthworker 4124784 Sep 5 23:41 ceph-mgr
-rw------- 1 teuthworker teuthworker 13 Sep 5 23:41 user
Brad Hubbard wrote:
[...]
On teuthology...
[...]
Sooo ceph-post-file should chmod 600
before uploading? Cuz that's doable.
David Galloway wrote:
Brad Hubbard wrote:
[...]
On teuthology...
[...]
Sooo ceph-post-file should chmod 600
before uploading? Cuz that's doable.
I guess you mean 644 or similar? If I were anal I might see doing that on the client as a security issue, even if making a copy first.
- Assignee changed from David Galloway to Brad Hubbard
Hey Brad, have you still been seeing this happen?
Also available in: Atom
PDF