Open JaikrishnaTS opened 7 years ago
JaikrishnaTS
commented
7 years ago There is no security issue (as in original message) because we have a separate folder called 'Scripts' which the submit node creates from scratch.
But this could be a feature for power users.
@akrinos would you find this useful?
cayelan
commented
7 years ago Arianna is definitely a power user :)
Kait, it might be good for you to follow the GRAPLE github site for updates?
On May 11, 2017, at 3:15 PM, Jaikrishna notifications@github.com wrote:
There is no security issue (as in original message) because we have a separate folder called 'Scripts' which the submit node creates from scratch.
But this could be a feature for power users.
@akrinos https://github.com/akrinos would you find this useful?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/GRAPLE/GWS/issues/11#issuecomment-300889560, or mute the thread https://github.com/notifications/unsubscribe-auth/AHHZyoRCkisVB_ejrXglMMB7yOnLbHZtks5r415LgaJpZM4NRbSx.
Cayelan Carey, Ph.D. Assistant Professor Department of Biological Sciences Virginia Tech 2011 Derring Hall 926 West Campus Drive Blacksburg, VA 24061
skype: diatomsarelife website: http://carey.biol.vt.edu
akrinos
commented
7 years ago This would absolutely be a useful feature to me. More broadly, attempting to save an existing script could be dissuaded by either prompting the user to input date as part of the file name or separately, or saving the scripts automatically with the date somehow, if it is possible, for clarity and organization.
JaikrishnaTS
commented
7 years ago @akrinos I think I didn't explain it properly.
I was considering the possibility of executing a single experiment submission with an R post processing script attachment (similar to the job_desc.json now).
We don't intend to support adding to the 'public post processing script library' because that would pose a lot more security issues.
akrinos
commented
7 years ago @JaikrishnaTS you definitely explained properly! The second comment that was clear and it would be immensely useful - I thought the long-term idea you started off with was to store user-supplied post-processing scripts. The naming convention would be to facilitate storage and potential retrieval of these scripts. Thanks!
JaikrishnaTS
commented
7 years ago @kcratie Additional information regarding the security implications of allowing this. Section 3.8.13 of https://research.cs.wisc.edu/htcondor/manual/latest/3_8Security.html The jobs run under username 'condor' in current configuration.
A malicious R script can potentially manipulate other jobs running in the same worker, but possibly can't do anything beyond that.
Currently a hard coding of Rscript filename is used to run post processing scripts in worker.
Need to make sure that the user doesn't submit a Rscript file with the same name.
Fix by removing the Rscript file if found, in the else section of https://github.com/GRAPLE/GWS/blob/master/gws.py#L128