Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
On 9/5/2019 8:18 AM, Bockelman, Brian wrote:
Which use is it complaining about? 'condor' user or a target user?
Target user: Dockerfile creates condor user w/ ids matching ours. (You could get omit that if you put them on SSO server but we have problems with that and systemd tempfiles so we moved them to /etc files instead.)
Philosophical aside that keeps me up at night: HTCondor goes out of its way to prevent people from running jobs as root. In 2019, when "root inside the container" might be equivalent to "user nobody outside the container" (especially when the container is single-user), does this serve the same purpose as in 2009?
I was thinking about last night: you could certainly drop a whole lot of complexity from your code and let the sandbox deal with the security... And from the container side too because setting up dedicated users for software that refuses to run as root adds extra hoops that more often than not are just silly inside the sandbox.
Dimitri