5556 2007-09-12 17:29 Audit directory setup instructions are insecure 2012-09-12 13:00:29 1 1 1 Unclassified GRAM gt2 Gatekeeper/Jobmanager 4.0.5 TeraGrid All RESOLVED FIXED http://www.globus.org/toolkit/docs/4.0/execution/prewsgram/Pre_WS_GRAM_Audit_Logging.html P3 critical --- 1 navarro@mcs.anl.gov smartin@mcs.anl.gov bester@mcs.anl.gov feller@mcs.anl.gov navarro@mcs.anl.gov 2007-09-12 17:29:39 PreWS audit setup instructions say to create a directory with the permissions "rws-wsrwx". This is insecure and allows arbitrary users to ls the files in the directory and to remove anyone's files. More secure perms are "rwx-wx-wt", set using "chmod 1733". With these permissions, a user can create, modify, or delete only their own files, but they can't even ls the files in the directory to see what they are. This is reasonable given that GRAM2 creates the files for the user in the first place, and the file-names have large random integers in them. It would be very difficult for a user to know the names of their files in order to alter them. It would also be good if the instructions suggested that the directory owner be "globus" or whichever non-root user will be used to process and load the audit records into the database. bester@mcs.anl.gov 2012-09-12 09:22:44 This has been fixed in GRAM5 navarro@mcs.anl.gov 2012-09-12 12:02:25 What version of GRAM5. bester@mcs.anl.gov 2012-09-12 13:00:29 5.2.x