[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor_ssh_to_job

On 8/22/2013 8:47 AM, Rich Pieri wrote:

What is more a security thing is giving each daemon it's own unique UID
and GID instead of running everything as nobody:nogroup. This prevents
one compromised daemon from being able to access a different daemon's
files and memory space. An arbitrary range of UIDs and GIDs makes this
easier to manage.

I agree!!! (in HTCondor-speak, I'd replace the word 'daemon' above with 'job')

Here at UW-Madison, we assign specific UIDs/GIDs to slots (aka "slot users") instead of running as user nobody.

You can set things up so jobs either run as the submitting user (useful if you have a shared filesystem), or as a uid assigned to that slot.





for more insights and config details.


Todd Tannenbaum <tannenba@xxxxxxxxxxx> University of Wisconsin-Madison
Center for High Throughput Computing   Department of Computer Sciences
HTCondor Technical Lead                1210 W. Dayton St. Rm #4257
Phone: (608) 263-7132                  Madison, WI 53706-1685