[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] condor_ssh_to_job
- Date: Thu, 22 Aug 2013 11:29:19 -0500
- From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] condor_ssh_to_job
On 8/22/2013 8:47 AM, Rich Pieri wrote:
What is more a security thing is giving each daemon it's own unique UID
and GID instead of running everything as nobody:nogroup. This prevents
one compromised daemon from being able to access a different daemon's
files and memory space. An arbitrary range of UIDs and GIDs makes this
easier to manage.
I agree!!! (in HTCondor-speak, I'd replace the word 'daemon' above with
'job')
Here at UW-Madison, we assign specific UIDs/GIDs to slots (aka "slot
users") instead of running as user nobody.
You can set things up so jobs either run as the submitting user (useful
if you have a shared filesystem), or as a uid assigned to that slot.
See
http://research.cs.wisc.edu/htcondor/manual/v8.0/3_6Security.html#sec:RunAsNobody
and
http://research.cs.wisc.edu/htcondor/manual/v8.0/3_3Configuration.html#SECTION00437000000000000000
for more insights and config details.
Todd
--
Todd Tannenbaum <tannenba@xxxxxxxxxxx> University of Wisconsin-Madison
Center for High Throughput Computing Department of Computer Sciences
HTCondor Technical Lead 1210 W. Dayton St. Rm #4257
Phone: (608) 263-7132 Madison, WI 53706-1685