[Condor-users] grsecurity tpe and condor standard universe

[Brian Kroth <bpkroth@xxxxxxxx>]

I'm testing out condor on a Linux machine running with grsecurity/pax
patches.  There's a setting that's causing some problems:
kernel.grsecurity.tpe_restrict_all = 1

From the docs:

CONFIG_GRKERNSEC_TPE_ALL:

If you say Y here, All non-root users other than the ones in the group
specified in the main TPE option will only be allowed to execute files in
directories they own that are not group or world-writable, or in directories
owned by root and writable only by root.  If the sysctl option is enabled, a
sysctl option with name "tpe_restrict_all" is created.


When running jobs in the vanilla universe that are executed as the
submitter, the dir_* directory is chowned by that user and their primary
group.  However, when submitting under the standard universe that
directory is owned by condor:condor even though execution is still
attempted by the submitter which results in a denial by the tpe rule:

May  8 11:46:45 bpkroth-tux grsec: From 127.0.0.1: denied untrusted exec
of /var/condor/execute/dir_5435/condor_exec.24.0 by
/opt/condor-7.0.1-rhel5-dynamic/sbin/condor_starter.std[condor_starter.:5440]
uid/euid:1000/1000 gid/egid:100/100, parent
/opt/condor-7.0.1-rhel5-dynamic/sbin/condor_starter.std[condor_starter.:5435]
uid/euid:0/440 gid/egid:0/440

I would have expected the behavior to be similar to the vanilla
universe - the dir_* is owned by the user who will be executing the job
(either condor, submitter, nobody, etc.).  Is there a reason that's not
the case that I'm missing?

Thanks,
Brian

Attachment: smime.p7s
Description: S/MIME cryptographic signature