<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname;   }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div> <!--header --> <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div> <!--header ends--> <div id="header-photo"></div> <!-- navigation starts--> <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports &amp; Presentations</a></li> </ul> </div> <!-- navigation ends--> <!-- content-wrap starts --> <div id="content-wrap"> <div id="main"> <a name="File Protections on AFS"></a><h2>File Protections on AFS</h2> <em class="titledate"><a href="http://indico.cern.ch/conferenceDisplay.py?confId=73732">2010/04/07 by ITSRM</a></em> <p>These subsidiary rules to <a href="http://cern.ch/security/rules/en/OC5_english.pdf">Operational Circular N&deg;5</a> are for users of the AFS file system.</p> <p>At CERN, <b>owners of any kind of data (e.g. files, documents, Web pages), including users of file services, must protect their data from anonymous read and/or write access</b> (see <a href="#l1">below</a> for a definition of "anonymous").</p> <h4>AFS Data Protection Policy</h4> <p>In order to protect AFS data, the following access controls (ACLs) must be applied to all user folders hosted on AFS. Here, "<tt>HOME</tt>" is the path to the home folder of a particular user or his workspace.</p> <ol> <li>For all anonymous users, the default ACLs of the folder "<tt>~HOME/private</tt>" and all its sub-folders must be "<tt>none</tt>"-rights and nothing more open;</li> <li>For all anonymous users, the default ACLs of "<tt>~HOME/public</tt>" and all its sub-folders must not be more permissive than either combined "<tt>read</tt>"/"<tt>lookup</tt>" (i.e. "<tt>rl</tt>") rights or combined "<tt>lookup</tt>"/"<tt>insert</tt>"/"<tt>write</tt>" (i.e. "<tt>liw</tt>") rights;</li> <li>For the group "<tt>webserver:afs</tt>", the default ACLs of "<tt>~HOME/www</tt>" and all its sub-folders must not be more permissive than combined "<tt>read</tt>" / "<tt>lookup</tt>" / "<tt>insert</tt>" / "<tt>delete</tt>" / "<tt>write</tt>" / "<tt>lock</tt>" (i.e. "<tt>rlidwk</tt>") rights;</li> <li>For all anonymous users, the default ACLs of <tt>~HOME</tt> and all its sub-folders not covered before must not be more permissive than "<tt>lookup</tt>" (i.e. "<tt>l</tt>") rights;</li> <li>For all anonymous users, the default ACLs of any folder must not allow for simultaneous "<tt>write</tt>" <i>and</i> "<tt>read</tt>" rights. </ol> <p>From these rules follows that all information supposed to be widely public must be stored in the "<tt>~HOME/public</tt>" folder. All Web sites must be stored in the "<tt>~HOME/www</tt>" folder.</p> <p><b>These rules are automatically enforced on a regular basis by the AFS service for all "user" and "workspace" folders</b>, unless the actual settings are more restrictive than the aforementioned defaults. For "project", "group" or "scratch"-spaces, only rule #5 is enforced. If adaptations have to be made, the corresponding users will be notified afterwards by the AFS service.</p> <p>However, the data owner (i.e. the user) is still ultimately responsible for the proper ACLs of his folders and files. The AFS service is supposed to assist with this, but holds no responsibility.</p> <h4><a name="l1"></a>Definition of "anonymous"</h4> <p>Access to a file or folder is defined to be "anonymous" when the group of people permitted such access can be potentially very large. For AFS, permissions for one or more of the following access control groups are considered to be "anonymous users":</p> <code> system:anyuser (i.e. all AFS users)<br> system:authuser (i.e. all CERN users)<br> cern:nodes (i.e. all CERN hosts using AFS)<br> afs.hep:nodes<br> afs.hep:users<br> webserver:afs (i.e. all AFS Web servers)<br> wwwprot </code> <h4><a name="howto"></a>Interactive Correction of AFS ACLs</h4> <p>The following script will interactively correct AFS ACLs on home directories to be in line with the aformentioned rules. It will update ACLs which are considered to be too permissive:</p> <code> $ /afs/cern.ch/project/afs/etc/correct_acls </code> <p> (Try <tt>correct_acls -c</tt> for a check-only dry run. <tt>correct_acls -h</tt> gives some help.) </p> <p>For other directories such as "project", "group" or "scratch"-space, the "<tt>afs_admin</tt>" command can be used both to list violations of CERN's policy, and to correct them:</p> <code> $ afs_admin check_acl /path/to/your/project_or_dir<br> $ afs_admin clean_acl -r /path/to/your/project_or_dir </code> <p>As a precaution, "afs_admin" will not cross AFS mount points, i.e. descend into other AFS volumes. See "<tt>afs_admin help</tt>" for more details on these commands.</p> <h4>ACLs for SSH public key authentication stored on AFS</h4> <p>If your are using SSH public key authentication, you need to make sure that your <tt>authorized_keys</tt> file is made public. The easiest way is to put this file into your <tt>~/public</tt> folder and produce a symbolic link from your <tt>~/.ssh</tt> folder:</p> <code> $ mv ~/.ssh/authorized_keys ~/public<br> $ ln -s ~/public/authorized_keys ~/.ssh/authorized_keys </code> <p>These two steps are considered to be sufficient. If necessary, you might need to repeat the same steps for your public SSH keys (e.g. id_rsa.pub, id_dsa.pub).</p> <h4>ACLs for AFS-hosted Web sites</h4> <p>AFS-hosted Web sites must be stored in the <tt>~/www</tt> folder (note the use of small letters). In order to do so, three basic steps are needed:</p> <ol> <li> The <tt>~/www</tt> folder needs to be created and the contents need to copyied inside;</li> <li> The appropriate access rights need to be set: <tt>$ fs sa ~/www webserver:afs rl</tt>. Depending on the Web site, one might need to put up to <tt>rlidwk</tt> but be careful !</li> <li> The AFS Web service need to be informed about the new location: <a href="https://cern.ch/webservices/Services/ManageSite/">https://cern.ch/webservices/Services/ManageSite/</a>, choose your site and click on &#039;AFS Path: [CHANGE]&#039;. Put here the full path.</li> </ol> <p>If everything is fine, you might consider deleting the old stuff. If you think that this Web site is not needed anymore at all, please <a href="https://webservices.web.cern.ch/webservices/Tools/DeleteSite">delete it</a>.</p> <p>Further details on the different options of Web site creation &amp; management at CERN can be found <a href="http://webservices.web.cern.ch/webservices/Help/?kbid=080400">here</a>. </p> <h4>More Information</h4> <p>A detailed description on AFS ACLs can be found <a href="https://cern.service-now.com/service-portal?id=kb_article&n=KB0007454">here</a>.</p> </div> <!-- main ends --> <!-- SIDEBAR --> <!-- sidebar menu starts --> <div id="sidebar"> <h3>CERN Computing Rules</h3> <ul class="sidemenu"> <li><a href="/rules/en/OC5_english.pdf">Operational Circular Nº5</a></li> <li><a href="/rules/en/oc5_aims.shtml">Aims of OC5</a></li> <li><a href="/rules/en/personal_use_policy.shtml">Personal use policy</a></li> <li><a href="/rules/en/violation_of_rules.shtml">Violation of rules</a></li> <li><a href="/rules/en/CERN_Cybersecurity_Policy_v1.2.pdf">Cybersecurity Policy</a></li> <li><a href="/rules/en/CERN_CSO_Mandate_v1.1.pdf">Mandate of the CSO</a></li> <li><a href="/home/en/CERN/liaisons.shtml">Departmental & Experiment Liaisons</a></li> <li><a href="/rules/en/board.shtml">Computer Security Board</a></li> </ul> <h3>OC5 Subsidiary Rules</h3> <h3>& Guidelines</h3> <ul class="sidemenu"> <li><a href="/rules/en/accounts.shtml">Computer accounts</a></li> <li><a href="/rules/en/dhp.shtml">Data Handling Policy</a></li> <li><a href="/rules/en/drp.shtml">Data Retention Policy</a></li> <li><a href="/rules/en/firewall.shtml">Outer Perimeter Firewall Openings</a></li> <li><a href="/rules/en/ddp.shtml">Properly destroying data</a></li> <li>Protecting files on <a href="/rules/en/afs.shtml">AFS</a>, <a href="/rules/en/dfs.shtml">DFS</a> and <a href="/rules/en/eos.shtml">EOS</a></li> <li><a href="/rules/en/windows.shtml">Running Windows PCs</a></li> <li><a href="/rules/en/baselines.shtml">Security Baselines</a></li> <!--li><a href="/rules/en/social-media.shtml">Social Media Guidelines</a></li--> <li><a href="https://admin-eguide.web.cern.ch/en/procedure/social-media-guidelines">Social Media Guidelines</a></li> <li><a href="/rules/en/data_access_by_thirds.shtml">Third party access to users' accounts and data </a></li> <li><a href="/rules/en/file-services.shtml">Using file services</a></li> <li><a href="/rules/en/mail-service.shtml">Using the e-mail service</a></li> <li><a href="/rules/en/network.shtml">Using the network</a></li> <li><a href="/rules/en/webcams.shtml">Using webcams</a></li> </ul> <h3>Software Restrictions</h3> <ul class="sidemenu"> <!--li><a href="/rules/en/irc.shtml">Internet Relay Chat (IRC)</a></li--> <!--li><a href="/rules/en/im.shtml">Instant messaging<br/> (IRC, ICQ, ...)</a></li--> <li><a href="/rules/en/otp-generators.shtml">OTP Generators</a></li> <!--li><a href="/rules/en/p2p.shtml">Peer-to-peer file sharing<br/>(P2P)</a></li--> <!--li><a href="/rules/en/skype.shtml">Skype Internet telephony</a></li--> <li><a href="/rules/en/teamviewer.shtml">TeamViewer</a></li> <!--li><a href="/rules/en/tor.shtml">Tor (The Onion Router)</a></li--> <li><a href="/rules/en/vpn.shtml">VPNs and other overlay networks</a></li> </ul> <h3>Other Useful Information</h3> <ul class="sidemenu"> <li><a href="https://indico.cern.ch/category/3441">Licensing CERN Software</a></li> <li><a href="https://odpp.web.cern.ch/">Office of Data Privacy Protection</a></h3> <li><a href="http://www.ohwr.org">Open Hardware Repository</a></h3> </ul> </div> <!-- sidebar menu ends --> <!-- content-wrap ends--> </div> <!-- footer starts --> <div id="footer-wrap"> <div id="footer-bottom"> &copy; Copyright 2024<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div> <!-- footer ends--> </div> <!-- wrap ends here --> <!--img height=30px src="/home/en/CERNfooter_800.png"--> </body> </html>