Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
On 8/22/2013 8:47 AM, Rich Pieri wrote:
What is more a security thing is giving each daemon it's own unique UID and GID instead of running everything as nobody:nogroup. This prevents one compromised daemon from being able to access a different daemon's files and memory space. An arbitrary range of UIDs and GIDs makes this easier to manage.
I agree!!! (in HTCondor-speak, I'd replace the word 'daemon' above with 'job')
Here at UW-Madison, we assign specific UIDs/GIDs to slots (aka "slot users") instead of running as user nobody.
You can set things up so jobs either run as the submitting user (useful if you have a shared filesystem), or as a uid assigned to that slot.
See http://research.cs.wisc.edu/htcondor/manual/v8.0/3_6Security.html#sec:RunAsNobody and http://research.cs.wisc.edu/htcondor/manual/v8.0/3_3Configuration.html#SECTION00437000000000000000 for more insights and config details. Todd -- Todd Tannenbaum <tannenba@xxxxxxxxxxx> University of Wisconsin-Madison Center for High Throughput Computing Department of Computer Sciences HTCondor Technical Lead 1210 W. Dayton St. Rm #4257 Phone: (608) 263-7132 Madison, WI 53706-1685