When you use glexec with transient directories and input sandboxes, it's important that you create a writable directory for your target job, and you do this in a safe and portable way.
In general, the setup of the batch system and OS at a site does not guarantee that the pilot job and the target user share a common group, even though in practice the 'top-level' VO group will usually be in common. However, it's not easy to identity this most-generic group. In these cases, you need to do two things:
- Create a temporary directory for the target job using glexec. We provide a proof-of-principle implementation on how to create such a directory, and clean up after yourself at https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/mwsec/trunk/mwsec-utils/mkgltempdir/. It will usually be inside a temporary, transient area specific to the pilot job.
- ensure that this directory is reachable for the target job. This may mean making the 'upstream' directory traversable (not but necessarily readable) by the world.
When creating a temporary directory in a world-writable area, you should take appropriate care to prevent race-condition vulnerabilities (the same ones that the old tempnam(3) suffers from). The script mkgltempdir helps to do that, but if you find any potential weaknesses, please let us know:
Usage: mkgltempdir [-h] [-r [-f] gltmp_directory] [-t targetdir-mode] [-m parentmode] [directory] Create a directory owned by the glexec target user in a secure fashion. The path of the directory created is printed to stdout. -t targetdir-mode permissions of the target directory created (default: 0700, i.e. unreadable by the glexec invoker) -m parentmode permissions for the current user on the parent tree (default: 0755, and should traversable for target uid) -r gltmp_dir remove the target directory previously created by $progname. Directory must be empty, unless -f is also specified. directory base directory in which target directory is created (default: current value of \$TMPDIR or, if unset, /tmp) Return value is 0 if directory was successfully created, non-zero otherwise.
Download the utility at:
- http://software.nikhef.nl/dist/mwsec/rpm/ (RPM repositories)
- http://software.nikhef.nl/security/mkgltempdir/ (source tarball)
- https://ndpfsvn.nikhef.nl/viewvc/mwsec/trunk/mwsec-utils/mkgltempdir/ (SVN source)