When adding a repo on a publisher node which connects to a GW, you do ‘sudo cvmfs_server mkfs’ which has a -o option for the local user which owns the repository. By default it is ‘cvmfs’.
Publishing users need to be able to su to that account to do transactions and it should preferably be as minimally privileged as possible.
Is there any security benefit of using a separate account other than the default ‘cvmfs’? Or are the permissions exposed to the end users (e.g. read/write files in /var/spool/cvmfs) the same either way such that it is only a cosmetic difference whether the ‘cvmfs’ account or some other ‘publisher’ account is used?
Thanks.
Hi Ryan,
One specific scenario where custom accounts are useful is when the publisher machine has several repositories that are used by different groups of people - they can then be setup to allow login only as the account that is repository owner, avoiding that everyone can write to all repositories.
I think CERN IT uses this setup.
Otherwise I don’t think it makes much difference, but someone else may comment still.
Cheers,
Valentin
1 Like
Yes good point, thanks. In my case all the repos on the publisher are used by the same users.
Hmm one consideration could be that the cvmfs user has home /var/lib/cvmfs and shell /sbin/nologin by default which would need to be modified.