RE: [Condor-users] condor 6.6.5 install problems / Security hole

["Kewley, J (John)" <J.Kewley@xxxxxxxx>]

> If Condor runs as root, allowing any user other than root to edit the
> configuration file is a major security concern - if user 'condor' can
> add entries to the DAEMON_LIST, for example, then user 
> 'condor' can start
> any process as root. 
> 
> -Erik

One way to minimise this is to setup "sudo" to allow condor user to edit
this file,
a better way could be as follows:

1. condor_config is root writable only
2. local_condor_config is condor writable
3. Have a 3rd file condor_condor_safe (I am sure there is a better name)
which
   comes AFTER local_condor_config in condor_config and is
   root writable only. This file would then have all the settings which only

   root should have access to. eg DAEMON_LIST

Of course, some settings are overwritten in the subsequent config files (I
believe
DAEMON_LIST is, for instance), but others are ANDed (or is it ORed) in with
previous
settings (or some other defaults).

I need a way to edit these configs as condor (either directly or as sudo
from condor)
without having to pester the workstation owners to do the changes for me.

Any thoughts? Would this work? anything better?

JK