[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] condor 6.6.5 install problems



Erik Paulson wrote:
> 
> If Condor runs as root, allowing any user other than root to edit the
> configuration file is a major security concern - if user 'condor' can
> add entries to the DAEMON_LIST, for example, then user 'condor' can start
> any process as root.
> 

However, this risk seems not to exist if root does this:

 - creates the file /etc/condor/condor_config.root 
   owned by root and mode 600 or 644

 - makes sure /etc/condor/condor_config.root 
   defines all sensitive settings, including 
   LOCAL_ROOT_CONFIG_FILE

And does something similar for condor_config.local.root.

A suggestion:
Perhaps future releases of Condor will split 
condor_config into several files, based on what 
subsystem is configured, e.g., central manager versus 
execution node, and the level of access 
(e.g., "condor"  versus "root").

That would make it easier for root to know the list 
of all "sensitive" settings. 


Gabriel