Prevent jobs and daemons from running setuid binaries
With the recent security concerns around "sudo", and new interfaces in the Linux kernel, it is possible for HTCondor to prevent all jobs from running setuid programs. We believe there is no setuid program that jobs should be running, perhaps with the exception of ping.
This ticket will change the condor_master to set the no-new-privileges bit for all its children, which will prevent jobs, daemons, and helper programs that daemons popen from accidentally running setuid programs.
We will knob this with DISABLE_SETUID, which defaults to true.
Very simple straight-forward patchset. I approve.