Define RELEASE_DIR and BIN for the GLidien HTCondor
It is important to set RELEASE_DIR in each HTCondor configuration.
This way HTCondor is able to find its own binary and libraries.
The defaults are:
BIN = $(RELEASE_DIR)/bin
SBIN = $(RELEASE_DIR)/sbin
LIBEXEC = $(RELEASE_DIR)/libexec
The default for RELEASE_DIR = /tmp/condorinstall0 ia also a security risk since /tmp could be written by all users.
There is a pull request: https://github.com/glideinWMS/glideinwms/pull/44
Hi all, I wanted to point out a security issue in the default configuration of HTCondor + glideinWMS. The HTCondor release from UW defaults RELEASE_DIR to /tmp/condorinstall0. This means, in the absence of any other config (which, by default, there is) it will look for binaries in /tmp. This is precisely what's happening in the glideinWMS configuration. RELEASE_DIR is unset and various directories (but not all!) are set directly. For example, BIN is not set in the generated configuration so, for all running glideins, BIN is set to /tmp/condorinstall0/bin. Needless to say, I worry this opens things up to many shenanigans. For example, Greg noticed that when doing "condor_ssh_to_job" to a Singularity job, the pilot tries to execute the binary in /tmp/condorinstall0/bin/condor_docker_enter (which, in all likelihood is *not* what we're looking for). So, I think there's work all around: 1. HTCondor's compile time default for RELEASE_DIR should _not_ be /tmp/condorinstall0 but rather some traditionally root-owned directory (/usr/local?) 2. glideinWMS should set RELEASE_DIR to CONDOR_DIR by default. Thanks, Brian
#2 Updated by Marco Mambelli about 2 months ago
- Status changed from Assigned to Resolved
Code changes have been merged in master, will be in v3.7.3.For hotfixes, the Factory should be modified.
- The file
/var/lib/gwms-factory/web-base/condor_configshould be modified. Add the line
BIN = $(CONDOR_DIR)/bin
Right before the line
SBIN = $(CONDOR_DIR)/sbin
- Run a factory upgrade command