Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] manager

Date: Thu, 17 Mar 2005 12:53:44 -0600
From: Zachary Miller <zmiller@xxxxxxxxxxx>
Subject: Re: [Condor-users] manager

On Thu, Mar 17, 2005 at 07:38:43AM -0700, Masao Fujinaga wrote:
> I learned during the condor week that one should not allow general 
> access to the central manager as this gives (by default) administrator 
> powers . Having already made a mistake of making the central manager 
> the same as my submit host, will it be sufficient to make the sbin 
> directory inaccessible to non-root?

no.

out of the box, condor does host-based access control.  you'll see in your
condor_config file something like:

HOSTALLOW_ADMINISTRATOR = $(CONDOR_HOST)

this means any commands like condor_off, condor_restart, etc. that originate
from that host will be allowed.  this is why you should restrict access to
that machine.  even if you were to hide the binaries, a user could download
condor themselves and still run condor_off from the central manager if they
can login to it.

cheers,
-zach

References:
- [Condor-users] manager
  - From: Masao Fujinaga

Prev by Date: [Condor-users] Flocking policies
Next by Date: Re: [Condor-users] Re: split processors among multiple jobs
Previous by thread: [Condor-users] manager
Next by thread: Re: [Condor-users] manager
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [Condor-users] manager