Bug #2705

Non-privilege separation broke in v3+. Continue to support it?

Added by John Weigand over 8 years ago. Updated over 7 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
First Occurred:
Occurs In:


While testing the v3+ (master branch 5/15/12), I discovered that
the a non-privilege separation scenario was broken.

There appears to be some question as to the continued support
of a non-privilege separation use case in V3+. Before attempting
to resolve this problem, it would be helpful to know we are
continuing support for it.

If we are not, then we should modify those sections of the code to
prohibit its use.

If we are to continue support, the remainder of this issue
identifies where the error is occurring as best I can tell.

The changes that appear to be causing the problem appear to have been
introduced on 7/14/2011 with commit 670ee234a. It is these arguments
that are causing the problem with a non-privsep use case in the
submitGlideins method of

exe_env.append('GLIDEIN_RSL=%s' % glidein_rsl)
glidein_arguments += " -cluster $(Cluster) -subcluster $(Process)"
.. the above are added in the get_submit_environment method of the same

For privilege separation, the glidein submit is done via the condor
switchboard and all is well.

For non-privilege separation, the glidein submit is done via..
- the setting of a set of environmental variables for which the
GLIDEIN_RSL has quoting problems when set to
- then the execution of condor_submit using a set of arguments
These 2 arguments are causing shell errors:
-cluster $(Cluster) -subcluster $(Process)

John Weigand


#1 Updated by John Weigand over 8 years ago

  • Assignee set to Anthony Tiradani

Based on the glideinWMS meeting on 6/4 and feedback from Dennis,
this is still needed.

Assigned it to Tony because he basically made all the changes.
I just tested it in both privsep and non-privsep modes to validate.

It is working fine.

John Weigand

#2 Updated by Anthony Tiradani over 8 years ago

  • Status changed from New to Feedback

Commits that address this issue:

The changes are:
1) a couple of pylint error fixes
2) some added logging used for debugging that made sense to keep
3) escaping characters that cause problems on the command line (non-privsep)
4) getting useful error messages back from condor_root_switchboard

Change #4 doesn't fix the issue but was necessary for testing the privsep case to ensure that we didn't break it with our changes.

#3 Updated by Anthony Tiradani over 8 years ago

  • Assignee changed from Anthony Tiradani to John Weigand

#4 Updated by John Weigand over 8 years ago

  • Status changed from Feedback to Resolved
  • Assignee changed from John Weigand to Anthony Tiradani

Tested both non-privilege separation and privilege separation
on 9/28/13. Both working fine.

Marking it as resolved and reassigning to Tony.

John Weigand

#5 Updated by Parag Mhashilkar over 7 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF