Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
On 1/27/2012 6:47 AM, John Lambert wrote:
Hello all, Has anyone had any luck limiting the ability of administrative accounts to view condor's working directory? I'm working with a hospital to set up a pool, and in order to comply with HIPAA, they need to restrict patient data from prying eyes. Most of the execute machines will be windows only, so any *NIX specific methods will probably be out of the question. Thanks, John
By Condor's working directory, I assume you mean the Condor execute directory (aka, the cwd where jobs run).
I just ran a quick test...At least on Windows 7, I just confirmed that you can set up DACLS (deny acls) on the execute directory (as specified by EXECUTE in condor_config, defaults to c:\condor\execute) to deny group "Users" permission for 1) Read & Execute, 2) List folder contents, and 3) Read permissions. This will prevent any regular user, including those with administrator access, from looking at the file in \condor\execute. However, Condor continues to run jobs just fine, since the service is running as LocalSystem and the jobs themselves will run as a slot user --- Condor will place specific permissions for the slot user as required.
Hope the above helps, Todd