Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] El Capitan and Sandbox
- Date: Wed, 06 Jul 2016 14:33:19 -0400
- From: Kolja Kauder <kkauder@xxxxxxxxx>
- Subject: Re: [HTCondor-users] El Capitan and Sandbox
I would very much appreciate it when you find the time and Mac :)
Thanks,
Kolja
On Wed, Jul 6, 2016 at 2:30 PM, Jaime Frey <jfrey@xxxxxxxxxxx> wrote:
> HTCondor can be made smarter about this. It collects basic information about all processes on the system (pid, ppid, cpu/memory usage), constructs a tree of parent-child relationships, then queries this data for various purposes.
> These are mainly tracking the cpu/memory usage of jobs while they run and identifying the descendants of an HTCondor daemon or job so that they can be killed along with the ancestor.
> task_for_pid() is used to collect the cpu and memory usage of each process. HTCondor doesn't need to collect that for system processes. If we could identify SIP-protected processes and skip the task_for_pid() call for them, I believe that would eliminate the system log spam.
>
> Unfortunately, my Mac died right around when this email thread began, so I can't work on a fix at the moment.
>
> - Jaime Frey
>
> -----Original Message-----
> From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx]
>
> Rich,
>
> I instinctively recoil at circumventing security features on this machine, but you have a point; I will mull on it.
>
> BTW, this error comes from procd trying to call task_for_pid which is now heavily regulated.
>
> Thanks,
> Kolja
>
> On Thu, Jun 23, 2016 at 3:44 PM, Rich Pieri <ratinox@xxxxxxx> wrote:
>> On 6/23/16 3:21 PM, Kolja Kauder wrote:
>>> Since the machine is a visible server, that won't be a secure
>>> long-term solution. It would however allow me to edit the Sandbox
>>
>> I fail to see how this follows. SIP offers no protection against
>> remote attacks and essentially no local protection given how easy it
>> is to exploit privileged binaries.
>>
>>> settings. Do I guess correctly that I only need to add a file called
>>> condor_procd.sb containing (allow mach-priv-task-port
>>> (*) )
>>> ? (I didn't expect to ever use LISP outside .emacs :)
>>
>> My understanding is that changes to protected areas will be undone
>> when you enable SIP. There may be ways around this but you'll have to
>> go digging into the csrutil man pages to find them.
>>
>> --
>> Rich Pieri <ratinox@xxxxxxx>
>> MIT Laboratory for Nuclear Science
>> _______________________________________________
>> HTCondor-users mailing list
>> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx
>> with a
>> subject: Unsubscribe
>> You can also unsubscribe by visiting
>> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>>
>> The archives can be found at:
>> https://lists.cs.wisc.edu/archive/htcondor-users/
>
>
>
> --
> ________________________
> Kolja Kauder, Ph.D.
> Post-Doctoral Research Fellow,
> Physics Dept., Wayne State University
> ________________________
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
--
________________________
Kolja Kauder, Ph.D.
Post-Doctoral Research Fellow,
Physics Dept., Wayne State University
________________________