Security and Privacy¶
Is (my data on) Ponyland safe?
Really depends on what you mean by safe:
| Safe against | Typical counter measures | Do we do that? |
|---|---|---|
| Hackers breaking breaking into Ponyland and stealing your data | Separate accounts with limited permissions, network activity monitoring, regular updates | Yes |
| Passwords thieves logging in with your password and stealing your data | Two-factor authentication | No |
| Other Ponyland users looking at your data while not allowed | Linux permission system | Yes (well actually: YOU do this) |
| You making your data public by accident | Not much, maybe software tests? | No |
| Your data being erased by system failures or human errors | Backups | Sometimes, see backups |
| Hostage takers encrypting your data and selling you the encryption key | Linux permission system (don't make your data writable) | YOU do this |
Privacy¶
Important to know when storing data on Ponyland:
- Always abide by the faculty's Research Data Management protocol.
- Use the Linux Permission System to limit which other Ponyland users can access or edit your data.
- Be aware that the Linux permissions do not prevent the admins from accessing/editing your data. If you want to make your data on Ponyland inaccessible to us, you need to encrypt the data and store the key somewhere else.
Linux Permission System¶
The basics of the permission system can be found here.
You should be aware of the following default permissions on Ponyland:
Home¶
Users' home folders by default are inaccessible to other users (except for admins), because the group permissions apply to the user's primary group (membership of which cannot be changed by regular users), and permissions for others are set to 0.
[timzee@thunderlane:~]$ ls -l /home
total 516
drwxr-x--- 16 janedelacruz janedelacruz 26 Aug 14 2024 janedelacruz
drwxr-x--- 97 lboves lboves 1022 Aug 22 22:35 lboves
drwxr-x--- 91 mhulsbosch mhulsbosch 148 Sep 3 14:15 mhulsbosch
drwxr-x--- 15 mpastor mpastor 23 Sep 4 15:25 mpastor
drwxr-x--- 15 mrahman mrahman 22 Sep 3 18:44 mrahman
drwxr-x--- 56 timzee timzee 110 Sep 4 15:26 timzee
umask and ACLs¶
The default permissions of folders and files you create on Ponyland are determined by the system's umask value and Access Control Lists (ACLs). You can find the umask value on Ponyland by doing:
To get the permissions of a new file or folder we subtract it from the standard octal permissions (666 for files and 777 for folders). So by default new files and folders on Ponyland have octal permissions of 664 and 775 respectively. This translates as follows:
| octal | user | group | other |
|---|---|---|---|
| 664 | rw- | rw- | r-- |
| 775 | rwx | rwx | r-x |
However, the umask can be overridden by ACLs. If enabled, you can use ACLs to change the default permissions and also to grant specific users access to files and folders. To inspect ACLs you would use getfacl and to change them you would use setfacl. On Ponyland, ACLs are currently not enabled on the regular filesystem. However, the system administrators have set some ACLs using the networked file system that is used to mount certain folders on Ponyland. These can be inspected using nfs4_getfacl. ACLs on a folder can be inherited by files and folders created inside that folder. This will become relevant when we discuss the different tensusers folders.
Tensusers¶
Let's take a look at the different tensusers folders:
[timzee@thunderlane:/vol]$ ls -ld tensusers*
drwxrwsr-x 114 root tens 4096 Aug 28 15:01 tensusers
drwxrwsr-x 51 root tens 4096 Aug 28 15:23 tensusers2
drwxrwsr-x 52 root tens 4096 Aug 28 15:05 tensusers3
drwxrwsr-x 61 root tens 4096 May 15 22:03 tensusers4
drwxrwsr-x 61 root tens 4096 Mar 20 14:23 tensusers5
drwxrws--- 20 root tens 20 Jul 4 17:00 tensusers6
drwxrws--- 17 root tens 19 Aug 28 15:02 tensusers7
drwxrws--- 21 root tens 21 Sep 2 21:55 tensusers8
Two things stand out:
-
The group permissions show an
swhere normally you would see thexor-.The
smarks that the setgid bit is set on these folders. This means that new files and folders created inside these folders inherit the group from the parent folder. That is, any new files and folders inside the tensusers folders by default have the grouptens. If the setgid bit is not set on a folder, any new files/folders inside of it will get the primary group of the user who created the file or folder.IMPORTANT: This means that if you create your own folder in one of the tensusers folders and store your data inside of it, without changing the group permissions or the group itself, you will be sharing your data with all other Ponyland users! Perhaps the easiest way to prevent that from happening is by doing the following when you first create your tensusers folder:
[timzee@thunderlane:/vol/tensusers8]$ chmod g-s testdir && ls -ld testdir drwxrwx--- 2 timzee tens 3 Sep 4 18:01 testdirAny files and folders inside of this folder will get your primary group, of which you should be the only member.
-
The tensusers folders do not all have the same permissions.
This is where the umask and ACLs come into play.
tensusers(2-5)have permissions that are in line with the umask. The permissions of these folders are not determined by ACLs. If we runnfs4_getfaclon these folders we get:[timzee@thunderlane:/vol]$ nfs4_getfacl tensusers # file: tensusers A::OWNER@:rwaDxtTcCy A::GROUP@:rwaDxtcy A::EVERYONE@:rxtcyHowever, if we do the same for
tensusers6-8, we get:[timzee@thunderlane:/vol]$ nfs4_getfacl tensusers6 # file: tensusers6 A::OWNER@:rwaDxtTcCy A::GROUP@:rwaDxtcy A:g:47385:rxtcy A::EVERYONE@:tcy A:fdi:OWNER@:rwaDxtTcCy A:fdi:GROUP@:rwaDxtcy A:fdig:47385:rxtcy A:fdi:EVERYONE@:tcyWe will not try to parse this output, but it basically means that the ACLs on these folders result in default octal permissions of 660 and 770 for files and folders created inside
tensusers6-8:octal user group other 660 rw- rw- --- 770 rwx rwx ---
Sharing data with specific users¶
If you want to make your data available to certain other users, but you do not want everyone in tens to have access, contact the admins and we can request a new group for you.