Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Securing local filesystem access for Condor onWindows

Date: Thu, 23 Nov 2006 09:01:25 +1100
From: "Philip Crawford" <p.crawford@xxxxxxxxxxx>
Subject: Re: [Condor-users] Securing local filesystem access for Condor onWindows

Patrick, 
It's now some time since I have been active with Condor but I did find some
time back that when I sent jobs which depended on files which were on the
System's path (Cygwin1.dll specifically), the jobs failed until I copied the
.dll file across in files_to_transfer. The documentation does say that the
condor_reuse_vm1 user is restricted pretty much to it's own execute
directory.

There is documentation which allows you to set up 1 or 2 local users with
your own restrictions, however loose or tight you wish to make those, and
tell Condor to use those users instead of its own temporary ones. Again,
it's a while since I looked closely into these things but they are there.


Phil Crawford

_____________________________________________
Philip Crawford B Comp Sc, MIEEE
School of Medical Sciences
The University of NSW, Sydney, NSW, 2052
Phone: +61-2-9385 2564
Fax: +61-2-9385 1059
Email: p.crawford@xxxxxxxxxxx
_____________________________________________

-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx
[mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Patrick Townsend
Sent: Wednesday, 22 November 2006 11:27 PM
To: condor-users
Subject: [Condor-users] Securing local filesystem access for Condor
onWindows

Hi

Is it possible to restrict the access to the local filesystem that the
Condor-reuse-vm1 account has when running a job on a Windows client?


The account condor-reuse-vm1 is added to the Windows local group Users. By 
default members of this group have R access to most of the local 
filesystem. This has obvious security implications as a job can hoover up 
data from the running node's local filesystem.

We are running Condor v6.6.11. I can think of three ways round this, but am 
unclear which is best and what may get broken. Has anyone tried these or 
can offer advice on what is the best way forward?
1) Remove account condor-reuse-vm1 from local group Users.
2) Change file perms to deny access to local filesystem outside sandbox 
directory d:\condor\execute\.
3) Does Condor have a feature which could help in this case?


	regards
		Patrick.

---------------------------------------------------
Patrick Townsend    -    Computer Systems Officer.
University of Bristol.
_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at either
https://lists.cs.wisc.edu/archive/condor-users/
http://www.opencondor.org/spaces/viewmailarchive.action?key=CONDOR

References:
- [Condor-users] Securing local filesystem access for Condor on Windows
  - From: Patrick Townsend

Prev by Date: Re: [Condor-users] breadth-first depth-first order control in dagman
Next by Date: Re: [Condor-users] Dag log changes in 8.1?
Previous by thread: Re: [Condor-users] Securing local filesystem access for Condor onWindows
Next by thread: [Condor-users] [Fwd: condor_collector starting and dying without even writing to the log]
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [Condor-users] Securing local filesystem access for Condor onWindows