Re: [Condor-users] Securing local filesystem access for Condor onWindows

["Matt Hope" <matthew.hope@xxxxxxxxx>]

On 11/22/06, Kewley, J (John) <j.kewley@xxxxxxxx> wrote:
> With the setup we have it is possible for a condor job to
> read/write anything that anyone else in User can. This includes
> the "All Users" section of "Documents\ and\ Settings".
>
> For instance it could remove default desktop icons!
>
> You have to be careful.
>
> JK

The default windows setup is that only Admins (can't remember if Power
Users get it too) should have write access to "All Users"...

Violating this and then letting arbitrary code run on the machine you
don't trust is asking for trouble. Since no private data should (by
definition) be stored in All Users so that should not be a major
issue.

The default windows 2003 server security setup is actually such that a
lot of stuff you might want to do via condor (like run a script to
execute the binary) don't work unless you loosen execute rights on
some specific files in system (relaunching another cmd for example).

Essentially if you have slack local file system permissions (this goes
for all OS installations) and you don't have full trust for the
executing code you're stuffed from the word go...

Matt