I just want to clarify the answer here. The use of sudo in Globus does not give any regular unix user the right to sudo execute processes as the globus user. Quite the opposite, what it does is allow the globus user (a daemon account) to sudo execute processes as regular users, so that all user jobs submitted via WS-GRAM will execute in the correct user account, according to the mapfile and the authenticated credentials of the submitting client.
You need to treat the globus account as a privileged space, like root, and avoid letting anybody have access since it has this escalated privilege capable of accessing most other user accounts. karl On Nov 06, [EMAIL PROTECTED] modulated: > Michal, > > right, everyone who can login as the user who runs the container > is able to run the commands specified in the sudoers config. > There's no need however for ws-gram users to know the login/password > of the user who runs the container. Same like you typically don't want > everybody to have root access to a machine. > > Martin > > > Hi, > > > > thanks for reply. Does this mean, that everybody, who has an account on > > a computer(or access to it) with globus, can run commands(defined in the > > /etc/sudoers file), using sudo, as globus user? > > -- Karl Czajkowski Software Architect Univa UD 1001 Warrenville Road, Suite 550 Lisle, IL 60532 [EMAIL PROTECTED] www.univa.com ________________________________________________________________ www.univa.com. The Leaders of Open Source Cluster and Grid Software --------------------------------------------------------------------- Notice from Univa UD Postmaster: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This message has been content scanned by the Univa UD Tumbleweed MailGate. ---------------------------------------------------------------------
