Uploaded image for project: 'Globus Toolkit'
  1. Globus Toolkit
  2. GT-195

GridFTP acts as wrong user when user doesn't exist


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.2.1
    • Fix Version/s: 5.2.2, Sprint 2012-05-22
    • Component/s: GridFTP
    • Labels:


      We're using GridFTP from GT 5.2.1 and we (Doug Strain and Neha Sharma) found an interesting bug. Normally, GridFTP maps me to the user that I am mapped to in the grid-mapfile. For instance, when I'm mapped like this:

      "/DC=org/DC=doegrids/OU=People/CN=Alain Roy 424511" alainroy

      I'm mapped to the alainroy user. I can easily tell which user it is with UberFTP, though the client is irrelevant:

      % uberftp fermicloud084
      220 fermicloud084.fnal.gov GridFTP Server 6.5 (gcc64, 1323378368-83) [unknown] ready.
      230 User alainroy logged in.
      UberFTP> pwd

      However, if I'm mapped to a user that doesn't exist, GridFTP appears to pick the last user in /etc/passwd. For example, when alainroy is misspelled:

      "/DC=org/DC=doegrids/OU=People/CN=Alain Roy 424511" alainroyy

      I'm mapped to the tomcat user:

      % uberftp fermicloud084
      220 fermicloud084.fnal.gov GridFTP Server 6.5 (gcc64, 1323378368-83) [unknown] ready.
      230 User alainroyy logged in.
      UberFTP> pwd

      apparently because Tomcat is the last user in the passwd file:

      % tail -1 /etc/passwd

      Another example:

      % globus-url-copy file:///cloud/login/alainroy/shar.pl gsiftp://fermicloud084.fnal.gov/tmp/shar.pl
      % ls -l /tmp/shar.pl
      -rw-r--r-- 1 tomcat tomcat 55051 May 17 12:11 /tmp/shar.pl

      I would think that if the user doesn't exist, something safer would happen. Probably you should deny access.

      Lest this seem like a rare condition, it's pretty common for people in OSG to mistakenly authorize users that don't have accounts. People authorize whole VOs because they authorize "everyone in OSG" but regularly forget to make any of the accounts for them. So this may well be a common problem and could cause security breaches. Definitely something to fix.

      If you provide us with a patch, we can ship a patched version to OSG in advance of a new release from you.





            • Assignee:
              mlink Mike Link
              alainroy alainroy
            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created: