[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [condor-users] Some questions concerning security in Condor
- Date: Thu, 26 Feb 2004 12:12:32 -0600
- From: Zachary Miller <zmiller@xxxxxxxxxxx>
- Subject: Re: [condor-users] Some questions concerning security in Condor
> OK, here's another security-related question:
> On systems where Condor is running as root, is it possible for the job's
> executable to be chroot'd? In particular, is it possible to MAKE Condor
> chroot the job's executable?
not currently. were we to add such a feature, your pool and possible your job
would have to deal with a number of additional constraints:
+ if they aren't already, your condor daemons must run as root
the next three constraints apply only to vanilla universe jobs:
+ your executable must be statically linked since you will no longer be able
to access libraries in /lib or /usr/lib, etc. when you create a standard
universe job using condor_compile, it is already linked statically.
+ you *must* use file transfer since your input files would otherwise be
inaccessable (i.e. no NFS shares or pre-staging things in
/some/scratch/dir). likewise you must use file transfer to get your output
back since condor will blow away the execute dir after the job completes.
+ your job could not invoke any system() calls to other executables since
/bin, /usr/bin, etc would not be available.
there may be more constraints, these are just off the top of my head. if you
think you can live with that and still have it be useful, perhaps we can add
chroot jails as a new condor feature. please let us know what you think.
Condor Support Information:
To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
unsubscribe condor-users <your_email_address>