Re: [HTCondor-users] Problem with scitokens-cpp v1.3.0 and HTCondor-CEs

[Stefano Belforte <stefano.belforte@xxxxxxx>]

Hi Jaime, Antonio,

in CMS case we have the default
ÂSEC_SCITOKENS_CACHE = $(RUN)/cache and again the default
ÂRUN = $(LOCAL_DIR)/run
but due to the way condor is installed, we have
ÂLOCAL_DIR = /etc/condor/condor_local
which looks "not so standard" :-)

All I can say is that SEC_SCITOKENS_CACHE directory had been owned by
root account since 1 year ago (likely date of initial installation), 
likely day 1
of our experimenting with tokens in this AP.
We always start credd via condor master, but it is surely a possibility that
when things were still being shacked out someone tried to run daemons
under the root account.
I also notice that in our case condor_start also starts the
/usr/sbin/condor_credmon_vault script via these lines in our
/etc/condor/config.d/...
DAEMON_LIST = $(DAEMON_LIST) CREDD CREDMON_OAUTH
CREDMON_OAUTH = /usr/sbin/condor_credmon_vault
And that /usr/sbin/condor_credmon_vault script runs as root.
So somehow condor seems to have sudo powers.

And it may also be that that earlier versions of credmon_vault were touching
the cache directory.

Anyhow everything is working "as before" for us now

Stefano