Difference between revisions of "GLExec TransientPilotJobs"
From PDP/Grid Wiki
Jump to navigationJump to searchm |
m |
||
| Line 5: | Line 5: | ||
* Create a temporary directory for the target job using glexec. We provide a proof-of-principle implementation on how to create such a directory, and clean up after yourself at [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/grid-mw-security/glexec/util/mkgltempdir/ https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/grid-mw-security/glexec/util/mkgltempdir/]. It will usually be inside a temporary, transient area specific to the pilot job. | * Create a temporary directory for the target job using glexec. We provide a proof-of-principle implementation on how to create such a directory, and clean up after yourself at [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/grid-mw-security/glexec/util/mkgltempdir/ https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/grid-mw-security/glexec/util/mkgltempdir/]. It will usually be inside a temporary, transient area specific to the pilot job. | ||
* ensure that this directory is reachable for the target job. This may mean making the 'upstream' directory traversable (not but necessarily readable) by the world. | * ensure that this directory is reachable for the target job. This may mean making the 'upstream' directory traversable (not but necessarily readable) by the world. | ||
| + | |||
| + | = MkGlTempDir = | ||
| + | |||
| + | When creating a temporary directory in a world-writable area, you should take appropriate care to prevent race-condition vulnerabilities (the same ones that the old tempnam(3) suffers from). The script <tt>mkgltempdir</tt> helps to do that, but if you find any potential weaknesses, '''please let us know''': | ||
| + | |||
| + | Usage: mkgltempdir [-h] [-r [-f] gltmp_directory] | ||
| + | [-t targetdir-mode] [-m parentmode] [directory] | ||
| + | |||
| + | Create a directory owned by the glexec target user in a secure fashion. | ||
| + | The path of the directory created is printed to stdout. | ||
| + | |||
| + | -t targetdir-mode permissions of the target directory created | ||
| + | (default: 0700, i.e. unreadable by the glexec invoker) | ||
| + | -m parentmode permissions for the current user on the parent tree | ||
| + | (default: 0755, and should traversable for target uid) | ||
| + | -r gltmp_dir remove the target directory previously created by | ||
| + | $progname. Directory must be empty, unless -f | ||
| + | is also specified. | ||
| + | |||
| + | directory base directory in which target directory is created | ||
| + | (default: current value of \$TMPDIR or, if unset, /tmp) | ||
| + | |||
| + | Return value is 0 if directory was successfully created, non-zero otherwise. | ||
| + | |||
| + | |||
| + | Download the utility at: | ||
| + | |||
| + | * https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/grid-mw-security/glexec/util/mkgltempdir/ | ||
Revision as of 10:14, 31 March 2009
When you use glexec with transient directories and input sandboxes, it's important that you create a writable directory for your target job, and you do this in a safe and portable way.
In general, the setup of the batch system and OS at a site does not guarantee that the pilot job and the target user share a common group, even though in practice the 'top-level' VO group will usually be in common. However, it's not easy to identity this most-generic group. In these cases, you need to do two things:
- Create a temporary directory for the target job using glexec. We provide a proof-of-principle implementation on how to create such a directory, and clean up after yourself at https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/grid-mw-security/glexec/util/mkgltempdir/. It will usually be inside a temporary, transient area specific to the pilot job.
- ensure that this directory is reachable for the target job. This may mean making the 'upstream' directory traversable (not but necessarily readable) by the world.
MkGlTempDir
When creating a temporary directory in a world-writable area, you should take appropriate care to prevent race-condition vulnerabilities (the same ones that the old tempnam(3) suffers from). The script mkgltempdir helps to do that, but if you find any potential weaknesses, please let us know:
Usage: mkgltempdir [-h] [-r [-f] gltmp_directory]
[-t targetdir-mode] [-m parentmode] [directory]
Create a directory owned by the glexec target user in a secure fashion.
The path of the directory created is printed to stdout.
-t targetdir-mode permissions of the target directory created
(default: 0700, i.e. unreadable by the glexec invoker)
-m parentmode permissions for the current user on the parent tree
(default: 0755, and should traversable for target uid)
-r gltmp_dir remove the target directory previously created by
$progname. Directory must be empty, unless -f
is also specified.
directory base directory in which target directory is created
(default: current value of \$TMPDIR or, if unset, /tmp)
Return value is 0 if directory was successfully created, non-zero otherwise.
Download the utility at:
