Hi Kostas,
As for your comment about putting this on a public list I agree it is definitely
time this was done publicly. This software is now released and public. If we don't
do it someone else will anyway.
See below comments for comments on your report, I would say this was more
serious the previous one.
On Fri, Feb 18, 2005 at 09:38:33AM +0000 or thereabouts, Kostas Georgiou wrote:
> Is this something expected?
>
> $ edg-job-submit --vo dteam sleep.jdl
> ..
> - https://lxn1188.cern.ch:9000/TRIIV9rN2tUuFYwoqY6qQg
>
> edg-gridftp-ls --verbose gsiftp://lxn1188.cern.ch/var/edgwl/SandboxDir/TR/https_3a_2f_2flxn1188.cern.ch_3a9000_2fTRIIV9rN2tUuFYwoqY6qQg
> total 12
> -rw-r--r-- 1 edguser 92 Feb 18 09:28 .edg_wll_seq
> drwxrwx--- 2 edguser 39 Feb 18 09:28 input
> drwxrwx--- 2 edguser 6 Feb 18 09:28 output
> -rw------- 1 edguser 5663 Feb 18 09:28 user.proxy
> $ edg-gridftp-ls --verbose gsiftp://lxn1188.cern.ch/var/edgwl/SandboxDir/TR/https_3a_2f_2flxn1188.cern.ch_3a9000_2fTRIIV9rN2tUuFYwoqY6qQg/input
> total 8
> -rw-r--r-- 1 edguser 796 Feb 18 09:28 .BrokerInfo
> -rw-rw---- 1 edguser 126 Feb 18 09:28 sleep.sh
You had me very worried there for a moment. The gridftp server on the RB is hacked
in such a way that it does its own access controls on the file space. Now I am
trying to remember what it actually does. But I'm still worried see later in the mail.
Looking at a job directory on the filesystem
drwxrwx--- 2 dteam001 edguser 4096 Feb 9 01:36 input
-rw-rw---- 1 dteam001 edguser 20 Feb 9 01:40 Maradona.output
drwxrwx--- 2 dteam001 edguser 4096 Feb 9 01:40 output
-rw------- 1 edguser edguser 5541 Feb 9 01:35 user.proxy
So I can't access the proxy but as you say I can look at the job files which is
less than ideal. It does not seem nescsary for this to be the case.
> The input and output files are writable by everyone as far as i can see
> (not having a second certificate doesn't help in testing :), what will
> happen if someone overwrites the job and the job gets resubmitted because
> of a failure?
But with this comment you are of course completly correct , I replace someones
script with do what you were going to do but "please send me your proxy as well"
This will be raised again.
Thanks for the report' Something will now happen.
I would say this is higher priority than the previous one. The fix has to be
at RB code level thinking about it quickly.
Steve
>
> That the input files are even readable is also a problem because of clueless
> users.
>
> $ edg-gridftp-ls --verbose gsiftp://lxn1182.cern.ch/var/edgwl/SandboxDir/...../input
> -rw-rw---- 1 edguser 490 Feb 18 08:32 .netrc
>
> Sending your passwords to the grid and in a directory that is readable by everyone
> with a proxy.......
>
> Kostas
--
Steve Traylen
[log in to unmask]
http://www.gridpp.ac.uk/
|