/var/lib/openquake folder must be set as setgid at system level or handled at code level

On 12/16/2011 12:57 PM, beatpanic wrote:
> Public bug reported:
>
> /var/lib/openquake folder must be set as setgid at system level or
> handled at code level
>
> /var/lib/openquake/disagg-results needs to be created in 1770 mode
> being owned by root:openquake
This is already the case since rev. 0.4.6-6, please see
    https://bugs.launchpad.net/openquake/+bug/904659

that bit went away with 0.4.6-6, on an OATS server there was still 0.4.6-5

Hmm .. this is an issue of running the disaggregation calculator in a multi-user setting where celery is daemonized and running as user 'celeryd'.

The job-N directories underneath /var/lib/openquake/disagg-results really need to
    - be owned by <user>.oqdaemon where 'oqdaemon' is a new group for all the OpenQuake software
    - have 770 permissions

That way the OpenQuake software can read/write a job-N directory but other regular users cannot see calculation results that belong to others.

The next package should create the 'oqdaemon' group.

In any case, please let me know what you think!

I agree. And since the job-N directory is created by the disaggregation calculator dynamically it should set at code level the group to oqdaemon or we should rely on the set-gid settings.

Another thing: we should set a proper umask at system level, my doubt is: should we do it via packaging setup? or maybe we can document it, IIRC default umask for debian based system is 0002

thanks!

The short-term "solution" is to make celeryd run as the root user.

This is postponed, a tested and working rev. 0.5.1 package is not a priority at this time.

We don't require NFS storage anymore; disagg. results are saved to the DB instead.