Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
Hi, I have a security issue in that I need to ensure (for legal reasons) that machine owners cannot read the content of any job that is running on their machine. My jobs are Perl scripts with a bunch of supporting data, running on Windows machines (mix of Server2003 and XPSP2). I’ve managed to hide all temporary data in a subdirectory that I do a chmod 700 on, so that’s good. However, I also need to hide the job’s inputs & outputs and the problem I’m having is that Condor seems to be adding the following ACLs to the execute directory: BUILTIN\Users:(OI)(CI)R BUILTIN\Users:(CI)(special access:) FILE_APPEND_DATA BUILTIN\Users:(CI)(special access:) FILE_WRITE_DATA Therefore, when the deployment data is copied over by Condor, it becomes readable by every user on that machine in addition to condor-reuse-slotN. Is there a neat way of disabling this behaviour without hacking a whole bunch of CACLS calls into the front of my job script? It’s also a bit unsafe because the permissions removal won’t happen until after the sensitive data is copied in and the job started, so there’s a window wherein all local users can still read sensitive files. thanks, -- William Brodie-Tyrrell, B.E, Ph.D Systems Engineer Modelling & Analysis Direct + 61 8 8343 3376 william.brodie-tyrrell@xxxxxxxxxxxxxxxx Saab Systems 21 Third Avenue, Mawson Lakes SA 5095 Australia ------------------------ This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection |