[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] Hiding job contents from machine owners



I have a security issue in that I need to ensure (for legal reasons) that machine owners cannot read the content of any job that is running on their machine.  My jobs are Perl scripts with a bunch of supporting data, running on Windows machines (mix of Server2003 and XPSP2).


I’ve managed to hide all temporary data in a subdirectory that I do a chmod 700 on, so that’s good.  However, I also need to hide the job’s inputs & outputs and the problem I’m having is that Condor seems to be adding the following ACLs to the execute directory:



BUILTIN\Users:(CI)(special access:)


BUILTIN\Users:(CI)(special access:)



Therefore, when the deployment data is copied over by Condor, it becomes readable by every user on that machine in addition to condor-reuse-slotN.


Is there a neat way of disabling this behaviour without hacking a whole bunch of CACLS calls into the front of my job script?  It’s also a bit unsafe because the permissions removal won’t happen until after the sensitive data is copied in and the job started, so there’s a window wherein all local users can still read sensitive files.







William Brodie-Tyrrell, B.E, Ph.D

Systems Engineer                                      

Modelling & Analysis


Direct + 61 8 8343 3376



Saab Systems                                                 

21 Third Avenue, Mawson Lakes

SA 5095 Australia                                             



This e-mail is private and confidential between the sender and the addressee.

In the event of misdirection, the recipient is prohibited from using, copying or

disseminating it or any information in it. Please notify the above if any misdirection