Re: [Condor-users] Understanding PrivSep permissions

[Steven Timm <timm@xxxxxxxx>]

I think originally they intended to have PrivSep everywhere
but haven't finished the submission side of it.  Look at CondorWeek 2007
presentations, probably Zach Miller's talk that year.

Steve Timm


On Wed, 16 Dec 2009, Marc Tardif wrote:

> Hi folks,
>
> I've been reading the PrivSep wisdom on the following Condor wiki page:
>
>  http://condor-wiki.cs.wisc.edu/index.cgi/wiki?p=PrivSep
>
> My first question is about this line: "The submit side daemons must still
> run as root unless there is only a single submitter or all submitters are
> trusted (i.e. a personal Condor)." Is the reason for this to have the
> necessary permission to read and write the log files?
>
> My second question is about this line: "For a single Condor instance to
> have both (multi-user) submit-side and execute-side functionality either
> PrivSep must not be used or the Master must still run as root and be
> configured to start the StartD without root (via the STARTD_USERID
> setting)." I don't understand why PrivSep should not be used for both
> submit and execute nodes. Can someone elaborate?

--
------------------------------------------------------------------
Steven C. Timm, Ph.D  (630) 840-8525
timm@xxxxxxxx  http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Assistant Group Leader.