[GE users] Permissions for active_jobs/job_scripts directories

Reuti reuti at staff.uni-marburg.de
Mon Oct 27 10:30:16 GMT 2008


Hi Esteban,

Am 27.10.2008 um 10:29 schrieb Esteban Freire:

> Hello all,
>
> Checking the permissions for active_jobs/jobs and active_jobs under  
> 'qmaster' or 'compute*' directories, we have seen that this  
> directories can be read by all users on the node and therefore this  
> is not  secure  for us, because in principle, it would be  
> interesting that an user cannot read the job of another user.

correct. That's the way it's implemented. While for the qmaster spool  
directory you could change the permissions of the directory to avoid  
it (or use SGE 6.2 with Berkeley DB spooling), I'm not aware of the  
option to change it for the execution node with a simple default  
setting.

Nevertheless: you could use a queue prolog to change the protection  
of the job just before the job starts. Chances are low, that in this  
short timeframe anyone can get access script:

#!/bin/sh
chown $USER $JOB_SCRIPT
chgrp `id $USER -gn` $JOB_SCRIPT
chmod o= $JOB_SCRIPT
exit 0

This prolog must be defined in the queue definition to also execute  
as root, i.e. "root at all.q.prolog" or alike.

-- Reuti



> Maybe, we didn't install SGE correctly, or it's necessary indicate  
> something on the scheduler or global configuration, or doing the  
> installation indicating an extra parameter.
>
> I would appreciate if someone could help me with this.
>
> $SGE_ROOT/default/spool/compute*
>
> drwxr-xr-x  4 root root  4096 Oct 27 09:17 active_jobs
> drwxr-xr-x  3 root root  4096 Oct 27 08:56 jobs
> drwxr-xr-x  2 root root  4096 Oct 27 09:17 active_jobs
>
> $SGE_ROOT/default/spool/qmaster
> drwxr-xr-x   2 root root   12288 Oct 27 10:12 job_scripts
>
> Thanks in advance,
> Esteban
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
> For additional commands, e-mail: users-help at gridengine.sunsource.net
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list