[GE users] Permissions for active_jobs/job_scripts directories

Esteban Freire esfreire at cesga.es
Mon Oct 27 10:52:04 GMT 2008


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "ISO-8859-10" character set.  ]
    [ Some special characters may be displayed incorrectly. ]

Hi Reuti,

Thanks a lot for your quick answer. I think a prolog script could be 
enough for us, but in any case I need to study this with detail.

Thanks,
Esteban

Reuti wrote:
> Hi Esteban,
>
> Am 27.10.2008 um 10:29 schrieb Esteban Freire:
>
>> Hello all,
>>
>> Checking the permissions for active_jobs/jobs and active_jobs under 
>> 'qmaster' or 'compute*' directories, we have seen that this 
>> directories can be read by all users on the node and therefore this 
>> is not  secure  for us, because in principle, it would be interesting 
>> that an user cannot read the job of another user.
>
> correct. That's the way it's implemented. While for the qmaster spool 
> directory you could change the permissions of the directory to avoid 
> it (or use SGE 6.2 with Berkeley DB spooling), I'm not aware of the 
> option to change it for the execution node with a simple default setting.
>
> Nevertheless: you could use a queue prolog to change the protection of 
> the job just before the job starts. Chances are low, that in this 
> short timeframe anyone can get access script:
>
> #!/bin/sh
> chown $USER $JOB_SCRIPT
> chgrp `id $USER -gn` $JOB_SCRIPT
> chmod o= $JOB_SCRIPT
> exit 0
>
> This prolog must be defined in the queue definition to also execute as 
> root, i.e. "root at all.q.prolog" or alike.
>
> -- Reuti
>
>
>
>> Maybe, we didn't install SGE correctly, or it's necessary indicate 
>> something on the scheduler or global configuration, or doing the 
>> installation indicating an extra parameter.
>>
>> I would appreciate if someone could help me with this.
>>
>> $SGE_ROOT/default/spool/compute*
>>
>> drwxr-xr-x  4 root root  4096 Oct 27 09:17 active_jobs
>> drwxr-xr-x  3 root root  4096 Oct 27 08:56 jobs
>> drwxr-xr-x  2 root root  4096 Oct 27 09:17 active_jobs
>>
>> $SGE_ROOT/default/spool/qmaster
>> drwxr-xr-x   2 root root   12288 Oct 27 10:12 job_scripts
>>
>> Thanks in advance,
>> Esteban
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
>> For additional commands, e-mail: users-help at gridengine.sunsource.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
> For additional commands, e-mail: users-help at gridengine.sunsource.net
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list