We’ve been scratching our heads on why are new user’s OOD’s interactive apps staging dirs in ondemand/data/sys/dashboard/batch_connect/sys/ having permission 700 since about the update we did last summer. This makes it very difficult to troubleshoot failed jobs as our support people don’t have root on our systems so they can’t see it.
Thanks Jeff. What would be the security issue? The server credentials files (like connection.yml in RStudio Server) are set to 700 even if the dir permissions are 755 - via the umask in the job_script_content.sh. Other files in there are scripts, SLURM job parameters, and logs, which all don’t have any unsecure info.
Maybe it’s not an issue of security, but rather privacy? IDK - I didn’t leave any comments, but my default position with anything like this is to be conservative, so that’s at least why I changed it to 700.
This is still on my mind, I just wanted to drop a note to that affect.I should definitely have something in 4.1 like a download logs button or similar or send logs with help ticket.
I’m also thinking of providing an option for admins to set so that the permissions are different, I just don’t know the ramifications of that. Honestly, I was a bit surprised that you could do this in the first place so I don’t want to get your hopes up on that front. It seems wild to me that this was the case, but maybe it’s just me?
Hi Jeff, sounds good, we have made the choice to manually edit the OOD code to set the permissions to 755, but that’s a bandaid so some long term solution would be good. Downloading the logs is a good start. Having a configurable setting would be perfect for our needs. Thanks.