File Protections for EOS User Storage

In draft. 2019/12/6 by CSO

These subsidiary rules to Operational Circular N°5 are for users of the EOS file system.

At CERN, owners of any kind of data (e.g. files, documents, Web pages), including users of file services, must protect their data from anonymous read and/or write access (see below for a definition of "anonymous").

EOS Data Protection Policy

As a general rule, and following the above, access to any EOS folder location should either be authenticated via a CERN account, anonymous read-only or anonymous write-only ("filedrop"-functionality). Any anonymous, simultaneous write AND read access is forbidden.

Additionally, more specific rules apply for the general-purpose EOS user and project storages, i.e. "EOSHOME" and "EOSPROJECT": In order to protect EOS data therein, the following access controls (ACLs) must be applied to all user folders hosted on EOS. Here, "HOME" and "PROJECT" are the paths to the home folder of a particular user or project.

  1. The default access for all files in the "HOME"/"PROJECT" tree is limited to the data owner only;
  2. No anonymous access is possible to EOS user storage other than via CERNBox "Shared Links". Shared Links allow the direct web access via the CERNBox interface. The Shared Links are hardly guessable and additional options allow to protect access by password. The corresponding ACLs are NOT inherited by the EOS storage itself;
  3. Subfolders of "HOME"/"PROJECT" may be shared with specific users or e-groups for read access (corresponding ACL permission is "rx") or read/write access (corresponding ACL permission is "rwx+d"). The sharing is fully controlled by the CERNBox sharing interface and the user cannot set manually other permissions. Sharing is recursive and applies to entire subfolder tree.

The data owner (i.e. the user) owns all files under "HOME" and "PROJECT", respectively, even if created by other users (in a shared subfolder). The data owner is still ultimately responsible for the proper ACLs of his folders and files. Sharing permissions can be manipulated by a streamlined CERNBox interface described in depth in The CERNbox and EOS services are supposed to assist with this, but hold no responsibility.

Definition of "anonymous"

Access to a file or folder is defined to be "anonymous" when the group of people permitted such access can be potentially very large. For EOS, files and folders shared by web-URL are considered anonymous if exposed publicly (posted on unprotected web pages, social media, etc).

ACLs for EOS hosted Web sites

All EOS-hosted personal web sites must be stored in the "~HOME/www" folder. Web spaces for projects must be stored in the "~PROJECT/www" folder. These folders are shared with "wwweos" user. The access is controlled by the CERN web service (technically via the ".htaccess" file).

The procedure to create and manage the EOS websites is described here: