Permissions for OOD interactive apps staging dirs

We’ve been scratching our heads on why are new user’s OOD’s interactive apps staging dirs in ondemand/data/sys/dashboard/batch_connect/sys/ having permission 700 since about the update we did last summer. This makes it very difficult to troubleshoot failed jobs as our support people don’t have root on our systems so they can’t see it.

I just ran over this PR, ensure staged_root has is writable by the user by johrstrom · Pull Request #3202 · OSC/ondemand · GitHub, which seems to be the culprit. Why is this being set to 700, not to 755? I am tempted to set this back to 755 at least in our installations, but, I would imagine other sites would prefer this as well.

Thanks,
Martin

I’d say to avoid the exact thing you’re trying to do. I don’t believe these should be that public so that anyone anywhere can see them.

I’d say it’s a security issue, and that we (the developers) have to be very conservative with security issues like this.

Thanks Jeff. What would be the security issue? The server credentials files (like connection.yml in RStudio Server) are set to 700 even if the dir permissions are 755 - via the umask in the job_script_content.sh. Other files in there are scripts, SLURM job parameters, and logs, which all don’t have any unsecure info.

I would think that output logs are sensitive. Or in the very least private. At least as a user I would expect them to be private.

Maybe it’s not an issue of security, but rather privacy? IDK - I didn’t leave any comments, but my default position with anything like this is to be conservative, so that’s at least why I changed it to 700.

Sounds good, thanks.