File Protections for EOS User Storage

In draft. 2019/12/6 by CSO

These subsidiary rules to Operational Circular N°5 are for users of the EOS file system.

At CERN, owners of any kind of data (e.g. files, documents, Web pages), including users of file services, must protect their data from anonymous read and/or write access (see below for a definition of "anonymous").

EOS Data Protection Policy

As a general rule, and following the above, access to any EOS folder location should either be authenticated via a CERN account, anonymous read-only or anonymous write-only ("filedrop"-functionality). Any anonymous, simultaneous write AND read access is forbidden.

Additionally, more specific rules apply for the general-purpose EOS user and project storages, i.e. "EOSHOME" and "EOSPROJECT": In order to protect EOS data therein, the following access controls (ACLs) must be applied to all user folders hosted on EOS. Here, "HOME" and "PROJECT" are the paths to the home folder of a particular user or project.

1. The default access for all files in the "HOME"/"PROJECT" tree is limited to the data owner only;
2. No anonymous access is possible to EOS user storage other than via CERNBox "Shared Links". Shared Links allow the direct web access via the CERNBox interface. The Shared Links are hardly guessable and additional options allow to protect access by password. The corresponding ACLs are NOT inherited by the EOS storage itself;
3. Subfolders of "HOME"/"PROJECT" may be shared with specific users or e-groups for read access (corresponding ACL permission is "rx") or read/write access (corresponding ACL permission is "rwx+d"). The sharing is fully controlled by the CERNBox sharing interface and the user cannot set manually other permissions. Sharing is recursive and applies to entire subfolder tree.

The data owner (i.e. the user) owns all files under "HOME" and "PROJECT", respectively, even if created by other users (in a shared subfolder). The data owner is still ultimately responsible for the proper ACLs of his folders and files. Sharing permissions can be manipulated by a streamlined CERNBox interface described in depth in https://cernbox-manual.web.cern.ch/cernbox-manual/en/sharing. The CERNbox and EOS services are supposed to assist with this, but hold no responsibility.

Definition of "anonymous"

Access to a file or folder is defined to be "anonymous" when the group of people permitted such access can be potentially very large. For EOS, files and folders shared by web-URL are considered anonymous if exposed publicly (posted on unprotected web pages, social media, etc).

ACLs for EOS hosted Web sites

All EOS-hosted personal web sites must be stored in the "~HOME/www" folder. Web spaces for projects must be stored in the "~PROJECT/www" folder. These folders are shared with "wwweos" user. The access is controlled by the CERN web service (technically via the ".htaccess" file).

The procedure to create and manage the EOS websites is described here: https://cernbox-manual.web.cern.ch/cernbox-manual/en/web/.

CERN Computing Rules

• Operational Circular Nº5
• Aims of OC5
• Personal use policy
• Violation of rules

OC5 Subsidiary Rules & Guidelines

• Computer accounts
• Data Handling Policy
• Data Retention Policy
• Outer Perimeter Firewall Openings
• Properly destroying data
• Protecting files on AFS, DFS and EOS
• Running Windows PCs
• Security Baselines
• Social Media Guidelines
• Third party access to users' accounts and data
• Using file services
• Using the e-mail service
• Using the network
• Using webcams

Software Restrictions

• OTP Generators
• TeamViewer
• VPNs and other overlay networks

Other Useful Information

• Licensing CERN Software
• Office of Data Privacy Protection
• Open Hardware Repository

© Copyright 2024 CERN Computer Security Team

e-mail: Computer.Security@cern.ch Please use the following PGP key to encrypt your messages: ID: 0x954CE234B4C6ED84 429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84

Phone: +41 22 767 0500 Please listen to the recorded instructions.