LISTSERV 16.5 - XROOTD-DEV Archives

xrdfs 4.8.2 removes files even when security is in place. Tested with sec.protocol unix and sss.
No feedbacks in the logs of data server. Access is logged on redirector only.
Expected behaviour would be that xrdfs does not rm file when not permitted in Authfile.

Is this a bug or misconfiguration ?

Authfile:
u * /xrootd lr
u root /xrootd lr
u schroete /xrootd/myTestDir a

Copy a file as user schroete:
~# XrdSecDEBUG=1 xrdcp Adapter_28022018.tgz root://glogin1//xrootd/myTestDir/test.dat
sec_Client: protocol request for host 192.168.16.122 token='&P=unix'
sec_PM: Loaded unix protocol object from libXrdSecunix.so
sec_PM: Using unix protocol, args=''
[45.08MB/45.08MB][100%][==================][45.08MB/s]

Remove file as schroete2,root or any other user on that client machine:
(Also it looks that the user name is truncated to 8 chars)
~# xrdfs glogin1 rm /xrootd/myTestDir/test.dat

Log Entry Data Server:
180413 12:52:50 1243 XrdInet: Accepted connection from [log in to unmask]
180413 12:52:50 1243 XrdProtocol: matched protocol xrootd
180413 12:52:50 1243 ?:7@qc01 XrdPoll: FD 7 attached to poller 0; num=1
180413 12:52:50 1245 XrdSched: running main accept inq=0
180413 12:52:50 1243 ?:7@qc01 XrootdProtocol: 0000 req=login dlen=97
180413 12:52:50 1243 schroete.22072:7@qc01 XrootdResponse: 0000 sending 16 data bytes
180413 12:52:50 1243 XrootdXeq: schroete.22072:7@qc01 pvt IPv4 login
180413 12:52:50 1243 schroete.22072:7@qc01 XrootdProtocol: 0100 req=rm dlen=26
180413 12:52:50 1243 schroete.22072:7@qc01 ofs_remove: f fn=/xrootd/myTestDir/test.dat
180413 12:52:50 1243 schroete.22072:7@qc01 XrootdProtocol: 0100 rc=0 rm /xrootd/myTestDir/test.dat
180413 12:52:50 1243 schroete.22072:7@qc01 XrootdResponse: 0100 sending OK
180413 12:52:50 1243 XrootdXeq: schroete.22072:7@qc01 disc 0:00:00
180413 12:52:50 1243 schroete.22072:7@qc01 XrdPoll: FD 7 detached from poller 0; num=0

xrootd.cf:
xrd.timeout hail 30 idle 0 kill 3 read 5
all.export /xrootd
set xrdr=glogin1.iup.uni-bremen.de
set inventory=/var/log/xrootd/inventory
all.manager $(xrdr):3121
cms.allow host *.iup.uni-bremen.de
if $(xrdr) && named cns
all.export $(inventory)
xrd.port 1095
else if $(xrdr)
all.role manager
oss.defaults rw
xrd.port 1094
else
all.role server
ofs.notify closew create mkdir mv rm rmdir trunc | /usr/bin/XrdCnsd -d -D 2 -i 90 -b $(xrdr):1095:$(inventory)
ofs.notifymsg create $TID create $FMODE $LFN?$CGI
ofs.notifymsg closew $TID closew $LFN $FSIZE
xrootd.seclib /usr/lib/libXrdSec.so
sec.protocol unix
acc.authdb /etc/xrootd/Authfile
acc.authrefresh 60
ofs.authorize
cms.space min 100g 110g
fi

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"xrdfs 4.8.2 authorization problem (#687)"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/687"}}}

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1