[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] manager

On Thu, Mar 17, 2005 at 07:38:43AM -0700, Masao Fujinaga wrote:
> I learned during the condor week that one should not allow general 
> access to the central manager as this gives (by default) administrator 
> powers . Having already made a mistake of making the central manager 
> the same as my submit host, will it be sufficient to make the sbin 
> directory inaccessible to non-root?


out of the box, condor does host-based access control.  you'll see in your
condor_config file something like:


this means any commands like condor_off, condor_restart, etc. that originate
from that host will be allowed.  this is why you should restrict access to
that machine.  even if you were to hide the binaries, a user could download
condor themselves and still run condor_off from the central manager if they
can login to it.