How to jail Globus user in its own home directory on a Globus EndPoint?

10 views
Skip to first unread message

Mauro Tridici

unread,
May 12, 2020, 2:21:27 AM5/12/20
to User Discuss
Dear All,

did you find a way to jail a Globus user in its own home directory on a Globus Endpoint?
I would like to use RestrictPaths option in config file, but I was not able to do the work.

Thank you in advance,
Mauro

Gigi Kennedy

unread,
May 12, 2020, 1:54:30 PM5/12/20
to user-d...@globus.org
Hi Mauro,

Please help us to understand your issue more clearly. 

Do you have a GCSv4 or GCSv5 endpoint?
Are you trying to keep all users to a specific path? Some users to a specific path? Users to their own specific path?

Your GCSv4 config file has information here - 
RestrictPaths =
If you do not want to set any restrictions, please comment this out. Otherwise -
Restricted path configuration.
A comma separated list of full paths that clients may access. Each path may be prefixed by R and/or W, denoting read or write access, or N to explicitly deny access to a path. If a given path is a directory, all contents and subdirectories will be given the same access. Order of paths does not matter -- the permissions on the longest matching path will apply. The special
character '~' will be replaced by the authenticated user's home directory, and * may be used for simple wildcard matching.
By default all paths are allowed, and access control is handled by the OS.
Examples:
Allow read access to /data and full access to the user's home directory:
RestrictPaths = RW~,R/data
Allow full access to the home directory, but deny hidden files there:
RestrictPaths = RW~,N~/.*

GCSv5 installation guide has information here -
https://docs.globus.org/globus-connect-server-v5-installation-guide/#storage-gateway-create-section

The --restrict-paths option can be used to place further access restrictions on how directories located in the storage system for which the storage gateway is configured can be accessed. Paths are specified in a comma separated list prefixed by the access permission permitted for the path as given by: R(read), RW(read/write), or N(no access).

For example, consider a storage gateway rooted at /data that the storage gateway creator wants to make available to users generally read/write. Let us also assume that there is a directory /data/static that the creator of the storage gateway wants to make accessible in a read-only manner. Let us further say that there is a /data/secret directory that the storage gateway creator does not want to be accessible via this storage gateway at all. This could be accomplished by setting the --restrict-paths option to RW/data,R/data/static,N/data/secret.
and this -
https://docs.globus.org/globus-connect-server-v5-installation-guide/#creating_a_storage_gateway_using_the_posix_storage_connector

  • The --users-deny option is used to specify a list of local user  accounts that are explicitly forbidden from creating collections using  this storage gateway. Users are specified as a comma separated list.  This option takes precedence over the --users-allow, --groups-deny, and  --groups-allow options. 

    The --users-allow option is used to specify the complete list of local users that are allowed to create collections using this storage gateway. If --users-allow is used, only the specified local accounts are permitted to create collections via this gateway. Users are specified as a comma separated list. This option takes precedence over the --groups-deny and --groups-allow options, but is overridden by --users-deny.

    The --groups-deny option is used to specify a list of local groups whose members are explicitly forbidden from creating collections using this storage gateway. Groups are specified as a comma separated list. This option takes precedence over the --groups-allow option but is overridden by --users-deny and --users-allow.

    The --groups-allow option is used to specify the complete list of local groups whose members are allowed to create collections using this storage gateway. If --groups-allow is used, only members of the specified groups are permitted to create collections via this gateway. Groups are specified in a comma separated list. This option is overridden by --users-deny, --users-allow, and --groups-deny

Please let us know if you'd rather move this into a support ticket to provide more details regarding your config file and your use case.

Best regards,
  Gigi

Mauro Tridici

unread,
May 12, 2020, 5:00:18 PM5/12/20
to User Discuss
Hi Gigi,

you are right, I should explain better my needs.
I will try to do it below.

I installed Globus pointing to Globus v.5 repository, so I think that installed version of Globus is 5 (do you know how to detect properly the installed version?)
I created my first Globus endpoint and the first related users.
So, they can log into the Globus server via Globus Connect Personal client and they can start their data transfer tasks without problem. It's a very great and user-friendly tool.
But I noticed that each user can browse the file system without limits (the users home directories have been created on a NFS mounted file system named /data).
Users can move from the /data/users_home_dir and they can read the content of "/".

Before writing this, I already tried to set "RestrictPaths" option in /etc/globus-connect-server.conf  file to "RestrictPaths = RW~,N~/.*,N/,N/data" but nothing changed. Changes don't modify the behavior.
Users can still browse the entire file system. Do you have some suggestion to solve my issue?

May be that I will solve my issue following your suggestions related to Globus v.5 deploy, but, before, I prefer to be sure about the installed version.

Do you think that I did something wrong installing Globus v.5 instead of Globus v.4. What is the difference between the two versions?
Do you think I need to come back to Globus v.4?

Thank you in advance for your support and your patience.
Kind regards,
Mauro

Ronald Liming

unread,
May 18, 2020, 11:41:39 AM5/18/20
to User Discuss
Hello Mauro,

In our off-list email exchange, we established that you are using Globus Connect Server version 4. (I suggested looking at the installed package name. The version 4 package name is "globus-connect-server" whereas the version 5 package name is currently "globus-connect-server53".)

Running globus-connect-server-setup again after changing the settings in /etc/globus-connect-server.conf resolved your issue.

I'm posting this summary here for the benefit of other list subscribers. As a reminder, you are always welcome to address technical support questions to sup...@globus.org.

Best wishes,

Lee Liming
Globus
Reply all
Reply to author
Forward
0 new messages