Leginon

One of our PI's has a specific security protocol regarding raw image data: everyone in his group (but no one else) should have access to the data, but he is the only one who can delete files. I thought I had solved this by creating a dummy account just for collecting images, and affording him user privileges using POSIX extended ACLs, but I'm still having some problems, mostly because rawtransfer appears to be changing the folder group ownership when images are copied. here are the details. The Camera PC disk is mounted using dir_mode=0750,file_mode=0750 flags so that by default only the owner has write privileges. Images are copied to the /EM/joneslab directory using a local leginon.cfg in the jonesimages home directory. jonesimages is the dummy account used to run start-leginon.py.

Here are the root folder permissions:

root@kraken:/EM# ls -ld /EM/joneslab/
drwxrws---+ 4 jonesimages jones 47 Nov 28 15:16 /EM/joneslab/

jones is the name of the group everyone in this lab is a member of. Note that is looks like the folder has group write privileges, but this is just a side effect of how extended POSIX ACL's work. If a member of the group who is not pjones attempt to write it fails.

root@kraken:/EM# getfacl joneslab/
# file: joneslab/
# owner: jonesimages
# group: jones
# flags: -s-
user::rwx
user:pjones:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:pjones:rwx
default:group::r-x
default:mask::rwx
default:other::---

Note correct group at this level as well:

root@kraken:/EM# cd joneslab/
root@kraken:/EM/joneslab# ls -l
total 4
drwxrws---+  9 jonesimages jones  150 Dec  5 19:28 frames
drwxrws---+ 11 jonesimages jones 4096 Dec 10 16:14 leginon

However if we dig down into the frames folder:

root@kraken:/EM/joneslab# cd frames
root@kraken:/EM/joneslab/frames# ls -l
total 0
drwxrws---+ 3 jonesimages jones       29 Dec  3 14:46 18dec03a
drwxrws---+ 3 jonesimages jonesimages 29 Dec  5 19:28 18dec05a
drwxrwsr-x  3 jonesimages jones       29 Nov 28 10:17 18nov05a
drwxrwsr-x  3 jonesimages jones       29 Nov  8 18:14 18nov08a
drwxrwsr-x  3 jonesimages jones       29 Nov 28 10:21 18nov15a
drwxrwsr-x  3 jonesimages jones       29 Oct 19 12:16 18oct19a
drwxrwsr-x  3 jonesimages jones       29 Oct 19 14:56 18oct19b

18dec05a is the session which ran after I set up the permissions. Notice that rawtransfer has changed the group ownership all the way down the directory tree:

root@kraken:/EM/joneslab/frames/18dec05a# ls -l
total 400
drwxrws---+ 3 jonesimages jonesimages 344064 Dec  7 12:16 rawdata

If I reset the folder group ownership to jones, rawtransfer just changes it back to jonesimages. Even though you'll notice an setgid bit is set on all these folders, I tried solving this by changing the default group of the jonesimages account to jones. This didn't work. The group ownership of the directory is changed to jonesimages even though the jonesimages group is no longer associated with the jonesimages account!

root@kraken:~# id jonesimages
uid=1020(jonesimages) gid=10002(jones) groups=10002(jones)

Can anyone clarify what is going on here? I've temporarily added all the group users to the jonesimages group so that they can work with this session after new images are collected, but this seems like a kludge.