[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Sandboxing Condor

On 1/27/2012 6:47 AM, John Lambert wrote:
Hello all,

Has anyone had any luck limiting the ability of administrative accounts
to view condor's working directory? I'm working with a hospital to set
up a pool, and in order to comply with HIPAA, they need to restrict
patient data from prying eyes. Most of the execute machines will be
windows only, so any *NIX specific methods will probably be out of the


By Condor's working directory, I assume you mean the Condor execute directory (aka, the cwd where jobs run).

I just ran a quick test...

At least on Windows 7, I just confirmed that you can set up DACLS (deny acls) on the execute directory (as specified by EXECUTE in condor_config, defaults to c:\condor\execute) to deny group "Users" permission for 1) Read & Execute, 2) List folder contents, and 3) Read permissions. This will prevent any regular user, including those with administrator access, from looking at the file in \condor\execute. However, Condor continues to run jobs just fine, since the service is running as LocalSystem and the jobs themselves will run as a slot user --- Condor will place specific permissions for the slot user as required.

Hope the above helps,