Re: [Condor-users] File permissions for temporary files, umask ignored

[Myung Cho <myunghcho@xxxxxxxxx>]

Thanks Zach, the USER_JOB_WRAPPER did the trick. I ended up using a
script which Ben Watrous from Cycle Computing provided to lock down
Condor's temporary working directory:

#!/bin/sh
chmod 700 .
exec "$@"


On Wed, Jun 6, 2012 at 6:41 PM, Zachary Miller <zmiller@xxxxxxxxxxx> wrote:
> On Wed, Jun 06, 2012 at 06:28:28PM -0400, Myung Cho wrote:
>> Hi,
>>
>> I am testing Condor for use at our company and during our testing we
>> noticed a security issue I can't seem to find a documented fix for. We
>> have multiple teams sharing a cluster pool and each team runs a set of
>> jobs which they would like to keep the actual program and the input &
>> output data private. When normally run by hand, each team sets their
>> umask so that the other teams can not view the program or the input &
>> output. However, when the job is run via Condor, Condor creates the
>> temporary files in /var/lib/condor/execute with world readable
>> permissions. What we would like to see ideally is for condor to create
>> these temp files with the umask set by the user or at least make it so
>> the temp files are only user readable.
>
> hi Myung,
>
> condor does this for "historic" reasons (that is, reasons i don't find all that
> compelling these days) and i will soon be working to change that to exactly the
> behavior you described.
>
> in the meantime, you could wrap your job in a script which runs umask itself.
> or if you are the admin of the cluster, you can set a USER_JOB_WRAPPER which
> does this.
>
>
> cheers,
> -zach
>
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/condor-users/