Opened 5 years ago

Closed 4 years ago

#863 closed task (fixed)

Secondary analysis scripts should set permissions on created files in ProjectArchive

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: major Milestone: Reggie v4.3
Component: net.sf.basedb.reggie Keywords:
Cc:

Description (last modified by Nicklas Nordborg)

This is related to #864.

Files generated on the project archive file server by secondary analysis scripts should by default only be readable/writable by the user. If a Case can be found that has Consent=Yes the permission on the generated files can be changed so that the group has read permission as well. Permissions on directories should follow the same pattern, but they also need "execute" permission.

After investigating the umask command (https://en.wikipedia.org/wiki/Umask) it seems like this would be relatively simple by including just one line at the beginning of the script:

  • umask 0077 or umask -S u=rwx,g=,o= if there is no consent
  • umask 0027 or umask -S u=rwx,g=rx,o= if there is a consent

New files should then automatically be created with correct permissions.

Change History (6)

comment:1 Changed 5 years ago by Nicklas Nordborg

Description: modified (diff)

comment:2 Changed 5 years ago by Nicklas Nordborg

Description: modified (diff)

comment:3 Changed 5 years ago by Nicklas Nordborg

Milestone: Reggie v4.xReggie v4.3
Status: newassigned

comment:4 Changed 5 years ago by Nicklas Nordborg

(In [3792]) References #863: Secondary analysis scripts should set permissions on created files in ProjectArchive?

Added support in ScriptBuilder for setting umask -S u=rwx,g=,o= to to make sure files are created as private by default. All jobs should use this setting.

The DemuxJobCreator will try to load the parent case and check the consent. If it is set to Yes it will change to umask -S u=rwx,g=rx,o=.

comment:5 Changed 5 years ago by Nicklas Nordborg

(In [3793]) References #863: Secondary analysis scripts should set permissions on created files in ProjectArchive?

Added a utility method ScriptBuilder.setUmaskForItem() to make it easy to always include this in generated scripts.

The align and cufflinks jobs now also set the umask.

The job script and other files that are uploaded as input to the job (eg. bardcode files for the demux) are set to private (in StringSourceFile).

Stdout and stderr are still readable by everyone. I guess that is controller by the Open Grid and I haven't been able to find anything about any setting to change this.

comment:6 Changed 4 years ago by Nicklas Nordborg

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.