Remove CAP_DAC_OVERRIDE in the job capabilities

This is no longer needed because we can now configure the UID:GID running the job.

Remove CAP_DAC_OVERRIDE in the job capabilities
This is no longer needed because we can now configure the UID:GID running the job.
e688e0d3 · BAIRE Anthony · 8e55e780 · e688e0d3
Commit e688e0d3 authored Sep 17, 2018 by BAIRE Anthony
--- a/controller/controller.py
+++ b/controller/controller.py
@@ -1074,9 +1074,8 @@ class JobManager(Manager):
            ctrl.check_host_path("isdir", job_path)
            hc = ctrl.sandbox.create_host_config(
                        binds = {job_path: {"bind": "/tmp"}},
+                        # disable all capabilities (for security reason)
                        cap_drop = ["all"],
-                        # FIXME: CAP_DAC_OVERRIDE needed because all nfs files have uid,gid=1000,1000
-                        cap_add = ["dac_override"],
                        # disable network access (for security reason)
                        network_mode = "none",