Hello,
In our system we have superuser who runs jobs on behalf of the other users. Superuser and normal users belongs to different groups.
Files access are conrolled mostly via ACL. I made simple script for tests:
#!/bin/bash
id
When script file has the following posix access rights: '-rwxrwx---+ 1 superuser users 15 Nov 5 11:52 test.sh' and ACL:
# file: test.sh
# owner: superuser
# group: users
user::rwx
user:superuser:rwx
user:user20003:rwx
group::--x
mask::rwx
other::---
Job is failed to check that user 'user20003' can run the script:
condor_starter[936]: Running job as user user20003
condor_starter[936]: About to exec /Users/3/test.sh
condor_starter[936]: Create_Process: Cannot access specified executable "/Users/3/test.sh": errno = 13 (Permission denied)
condor_starter[936]: Create_Process(/Users/3/test.sh,, ...) failed: (errno=13: 'Permission denied')
But script is working fine if start it manually on the execute machine via sudo:
# sudo -u user20003 ./test.sh
uid=20003(user20003) gid=1000(user2xxxx) groups=1000(user2xxxx)
If I run 'chmod o+x test.sh' job is working as excpected. Script file has the following posix access rights: '-rwxrwx--x+ 1 superuser users 15 Nov 5 11:52 test.sh' and ACL:
# file: test.sh
# owner: superuser
# group: users
user::rwx
user:superuser:rwx
user:user20003:rwx
group::--x
mask::rwx
other::--x
I also tried to reproduce access check from the daemon core code, but call to 'access("test.sh", F_OK | X_OK)' works fine under the user20003 on the execute macnihe. From this I guess that problem is somewhere in the code where HTCondor switches to the user priveleges, not with the schek itself.
PS:
$CondorVersion: 8.9.6 Mar 19 2020 BuildID: Debian-8.9.6-1 PackageID: 8.9.6-1 Debian-8.9.6-1 $
$CondorPlatform: X86_64-Ubuntu_18.04 $
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}