Re: [Condor-users] File permissions for temporary files, umask ignored

[Zachary Miller <zmiller@xxxxxxxxxxx>]

On Wed, Jun 06, 2012 at 06:28:28PM -0400, Myung Cho wrote:
> Hi,
> 
> I am testing Condor for use at our company and during our testing we
> noticed a security issue I can't seem to find a documented fix for. We
> have multiple teams sharing a cluster pool and each team runs a set of
> jobs which they would like to keep the actual program and the input &
> output data private. When normally run by hand, each team sets their
> umask so that the other teams can not view the program or the input &
> output. However, when the job is run via Condor, Condor creates the
> temporary files in /var/lib/condor/execute with world readable
> permissions. What we would like to see ideally is for condor to create
> these temp files with the umask set by the user or at least make it so
> the temp files are only user readable.

hi Myung,

condor does this for "historic" reasons (that is, reasons i don't find all that
compelling these days) and i will soon be working to change that to exactly the 
behavior you described.

in the meantime, you could wrap your job in a script which runs umask itself.
or if you are the admin of the cluster, you can set a USER_JOB_WRAPPER which
does this.


cheers,
-zach