[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] restrict usage to few executables

On Mon, Mar 24, 2008 at 4:35 AM, Ian Chesal <ICHESAL@xxxxxxxxxx> wrote:
> >  I would like to forbide *some* users to send their own
>  > executables and allow them just to run /usr/bin/exec1 and
>  > /usr/local/bin/exec2.
>  > Can I do that ?
>  Offhand I can think of any feature in Condor that lets you control what
>  users can do at this level of detail. Your best bet is to wrap access to
>  pool in your own submission/authentication mechanism. Don't let users
>  submit directly to your pool, have them submit through your own
>  interface that applies its own security policy.

I second Ian's suggestion, but if you want something fast and nasty an
enforced job wrapper script which checks the executable, deletes any
transferred executable and redirects the arguments to a locally
installed (and with correct permission) executable that would do it.

If the user should not be providing any transferred files then you can
do this fairly simply, if they can you have to be more careful
(providing tricky dlls/so that take over and such like) but if you are
that worried then the controlled submit point is better anyway.

If they set the job to not transfer the executable you should still be
able to access $0 with the name, how much you choose to apply Postel's
law here is up to you.