Re: [Condor-users] condor 6.6.5 install problems / Security hole

[Erik Paulson <epaulson@xxxxxxxxxxx>]

On Mon, Jul 19, 2004 at 10:03:57AM +0100, Kewley, J (John) wrote:
> > If Condor runs as root, allowing any user other than root to edit the
> > configuration file is a major security concern - if user 'condor' can
> > add entries to the DAEMON_LIST, for example, then user 
> > 'condor' can start
> > any process as root. 
> > 
> > -Erik
> 
> One way to minimise this is to setup "sudo" to allow condor user to edit
> this file,
> a better way could be as follows:
> 
> 1. condor_config is root writable only
> 2. local_condor_config is condor writable
> 3. Have a 3rd file condor_condor_safe (I am sure there is a better name)
> which
>    comes AFTER local_condor_config in condor_config and is
>    root writable only. This file would then have all the settings which only
> 
>    root should have access to. eg DAEMON_LIST
> 

As someone else pointed out earlier, we already have this -
the the condor_config.root file, and the file pointed at by
LOCAL_ROOT_CONFIG_FILE. You can use thse to reset anything that the
LOCAL_CONFIG_FILE might have changed - however, anything that the
LOCAL_CONFIG_FILE sets that isn't reset is retained.

-Erik