Bug 3474 - tmp subdir is not world-writable
: tmp subdir is not world-writable
Status: RESOLVED FIXED
: GRAM
general
: 4.0.0
: PC Linux
: P3 normal
: 4.0.1
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2005-06-13 14:42 by
Modified: 2005-08-03 17:21 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2005-06-13 14:42:11
The standard installation of the $G_L/tmp directory installs it with either
0755
or similar rights to the user owning the installation, usually "globus".
However, the Condor gridmonitor, a component for efficient use of pre-WS
components, creates state files for itself in the $G_L/tmp directory. In GT2
installations, the tmp directory used to be installed similar to system
temporary directories, e.g. file mode 1777. With the permissions on the tmp
directory more restrictive in GT4, the pre-WS components can no longer be
efficiently managed by the Condor grid monitor. 

Is it possible to create the tmp directory with modes 1777 instead?
------- Comment #1 From 2005-06-13 14:43:16 -------
Addendum: The grid monitor runs under the user ID of the invoking user, not as
user "globus". Thus the problems writing to the tmp directory. 
------- Comment #2 From 2005-07-18 14:46:56 -------
I'm not sure which setup package is responsible for creating the tmp/
directory.  I'm going to hand this 
over to Stu's team, since I see the files "gram-Fork  gram-Multi  gram-service 
gram_job_state" in it, and 
since gridmonitor is essentially interacting with GRAM.
------- Comment #3 From 2005-07-18 15:13:38 -------
I bet that the files that are currently created in tmp/ are not created in a
secure way, so opening up the permissions on tmp/ might be a bad idea.
------- Comment #4 From 2005-07-18 15:23:00 -------
I think this bug can be marked resolved.  Basically Jaime changed condor to
write files in $GL/tmp/
gram_job_state.  Details and condor ticket number in forwarded message.

-Stu

Begin forwarded message:

From: "condor-admin response tracking system" <condor-admin@cs.wisc.edu>
Date: July 15, 2005 11:52:22 AM CDT
To: voeckler@cs.uchicago.edu
Cc: smartin@mcs.anl.gov, wilde@mcs.anl.gov
Subject: Re: [condor-admin #12371] grid-monitor and pre-WS GT4
Reply-To: condor-admin@cs.wisc.edu

--Apple-Mail-1--745875355
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
    charset=US-ASCII;
    delsp=yes;
    format=flowed

On Jul 14, 2005, at 6:24 PM, condor-admin response tracking system  
wrote:

On Thu, 14 Jul 2005, condor-admin response tracking system wrote:

I have been informed by the Globus folks that $GLOBUS_LOCATION/tmp is
intended not to be mode 1777 and making it so may have unknown  
security
implications. I've changed the grid monitor to write into
$GLOBUS_LOCATION/tmp/gram_job_state, which is (and has to be) mode  
1777.
The change will appear in the just-about-to-be-released Condor 6.7.9.

Out of curiosity: What is wrong with the system's notion of temporary
directories? /tmp or /var/tmp (or Linux /dev/shm) are no more and  
no less
secure than your path.

I didn't want to deal with the hassle of machines with multiple  
active Globus installations. I'd have to incorporate the separate  
$GLOBUS_LOCATIONs into the filenames used in /tmp, and I didn't want  
to spend the time needed to implement and test it when a simple  
alternative was available.

+----------------------------------+---------------------------------+
|            Jaime Frey            |  Public Split on Whether        |
|        jfrey@cs.wisc.edu         |  Bush Is a Divider              |
|  http://www.cs.wisc.edu/~jfrey/  |         -- CNN Scrolling Banner |
+----------------------------------+---------------------------------+