[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Windows jobs behave deifferently under Condor

On Wed, Aug 23, 2006 at 01:21:18PM +1200, Miskell, Craig wrote:
> > So my question boils down to something like this: Aside from the
> > environnment, is there some salient difference in the way jobs execute
> > under Condor which would have an impact on the runtime behavior of a
> > process?
> In case you've not already thought of it:  the other big difference
> would be what user it is running as.  Condor creates (I think) temporary
> users for the purpose of running jobs.  Perhaps the permissions on the
> executable (or the path to the executable) are such that the temporary
> user cannot see the executable (or possibly some other file like a dll).
> Check the ACLs on the exe and the directory tree up to root.  You would
> *probably* be safe allowing "Everyone" read/traverse/execute access to
> that whole path + the executable, but consider the possible security
> impact of that, with respect to the environment you're working in.

We had thought of that, but it doesn't hurt to double check...

The SPSS directory and both of the executables I'm concerned with are
marked to allow "read" and "read & execute" for the "Users" group.  When
I look up the "Users" group on the machine I've been using for testing,
I find it has a member called "condor-reuse-vm1".  That account is
marked "disabled", but I assume that doesn't matter since it can
successfully run other jobs (like the diagnostic batch file I used to
query the environment for comparison, and the "spssprod" executable
which does run successfully, but can't spawn its child, or whatever the
Windows parlance is).