I'm testing out condor on a Linux machine running with grsecurity/pax
patches. There's a setting that's causing some problems:
kernel.grsecurity.tpe_restrict_all = 1
From the docs:
CONFIG_GRKERNSEC_TPE_ALL:
If you say Y here, All non-root users other than the ones in the group
specified in the main TPE option will only be allowed to execute
files in
directories they own that are not group or world-writable, or in
directories
owned by root and writable only by root. If the sysctl option is
enabled, a
sysctl option with name "tpe_restrict_all" is created.
When running jobs in the vanilla universe that are executed as the
submitter, the dir_* directory is chowned by that user and their
primary
group. However, when submitting under the standard universe that
directory is owned by condor:condor even though execution is still
attempted by the submitter which results in a denial by the tpe rule:
May 8 11:46:45 bpkroth-tux grsec: From 127.0.0.1: denied untrusted
exec
of /var/condor/execute/dir_5435/condor_exec.24.0 by
/opt/condor-7.0.1-rhel5-dynamic/sbin/
condor_starter.std[condor_starter.:5440]
uid/euid:1000/1000 gid/egid:100/100, parent
/opt/condor-7.0.1-rhel5-dynamic/sbin/
condor_starter.std[condor_starter.:5435]
uid/euid:0/440 gid/egid:0/440
I would have expected the behavior to be similar to the vanilla
universe - the dir_* is owned by the user who will be executing the
job
(either condor, submitter, nobody, etc.). Is there a reason that's
not
the case that I'm missing?
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}