Re: [HTCondor-users] security question regarding condor_shadow processes

[Greg Thain <gthain@xxxxxxxxxxx>]

On 10/12/20 8:51 AM, Mary Hester wrote:
> Hello,
>
> I'm not sure if this question has already been covered (or maybe my
> search foo has failed) but we had some questions about the condor_shadow
> processes that run, in this case, from a submit host. I found this:


Hi Mary:

Thanks for the good question.

First, the standard universe is going away from HTCondor -- it has been 
removed from the 8.9 series, and is only supported on a couple of Linux 
platforms in 8.8, and doesn't really work in a glidein / grid environment.

Even with the more common vanilla (which includes docker & java 
universes), there is a shadow process that runs under the schedd on the 
submit machine for every running job in the system. This shadow process 
runs as the Unix user id of the submitting user, and executes various 
system calls on behalf of the jobs. The shadow is not constrained by 
cgroups, containers or chroot today. The shadow runs systems calls as 
the submitting user to

* Send the input sandbox of file from the submit machine to the execute 
machine

* Send the output sandbox of files from the execute machine to the 
submit machine

* Communicate with the startd/starter and schedd.

* Write the user job log events to file

* Service chirp requests from the running job, if enabled.

 ** These include reading and writing files as the submitting user. 
While these files are only those read or writeable by the submitting 
user, we've recently added support to further constrain the set of files 
the shadow can read or write via chirp.



Thanks,


-greg