Re: [Condor-users] userprio security

["David A. Kotz" <dkotz@xxxxxxxxxxxxx>]

I understand.  You'll need to comment out

  # HOSTALLOW_ADMINISTRATOR = $(CONDOR_HOST)

and uncomment

  HOSTDENY_ADMINISTRATOR = *

and comment

  # HOSTALLOW_OWNER = $(FULL_HOSTNAME), $(HOSTALLOW_ADMINISTRATOR)


That should remove administrative rights from non-root accounts on these 
machines.  I'm guessing on this because I haven't tested this to see 
what the actual effects of these changes would do.

- dave


Roman Zubatyuk wrote:
> David,
>
>    Thank you for reply. But the my problem is that our pool is
> configured so that users can submit jobs only from the $(CONDOR_HOST).
> So, all of them have logins on central manager host. It present any
> user can change userprio values. Users can not kill job from the other
> user, but they can change priority factors. The latter action should
> only be allowed for condor administrators. As far as I understand
> administration is alowed on per-host basis, not at per-user basis. So,
> there is no possibility to devide users at $(CONDOR_HOST) into admins
> and restricted users?
>
> Regards,
>    Roman.
>
> On 4/3/06, David A. Kotz <dkotz@xxxxxxxxxxxxx> wrote:
> > Roman Zubatyuk wrote:
> > > Dear All,
> > >
> > >  I am using 6.7.13 I386-LINUX_RH72 codnor. I have ound that any user
> > > of my central manager can change users priority factors. Please, can
> > > you advise me the right configuration entry to disable it.
> > >
> > > Thanks in advance,
> > >    Roman.
> > >
> > > _______________________________________________
> > > Condor-users mailing list
> > > Condor-users@xxxxxxxxxxx
> > > https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> >
> > Roman,
> >
> > This is the section of the condor_config file you should look at and
> > adjust.  I've left mine as $(CONDOR_HOST), which is the central manager,
> > because I don't allow users to log on to that machine.
> >
> >
> > ##--------------------------------------------------------------------
> > ##  Host/IP access levels
> > ##--------------------------------------------------------------------
> > ##  Please see the administrator's manual for details on these
> > ##  settings, what they're for, and how to use them.
> >
> > ##  What machines have administrative rights for your pool?  This
> > ##  defaults to your central manager.  You should set it to the
> > ##  machine(s) where whoever is the condor administrator(s) works
> > ##  (assuming you trust all the users who log into that/those
> > ##  machine(s), since this is machine-wide access you're granting).
> > HOSTALLOW_ADMINISTRATOR = $(CONDOR_HOST)
> >
> > ##  If there are no machines that should have administrative access
> > ##  to your pool (for example, there's no machine where only trusted
> > ##  users have accounts), you can uncomment this setting.
> > ##  Unfortunately, this will mean that administering your pool will
> > ##  be more difficult.
> > #HOSTDENY_ADMINISTRATOR = *
> >
> > ##  What machines should have "owner" access to your machines, meaning
> > ##  they can issue commands that a machine owner should be able to
> > ##  issue to their own machine (like condor_vacate).  This defaults to
> > ##  machines with administrator access, and the local machine.  This
> > ##  is probably what you want.
> > HOSTALLOW_OWNER = $(FULL_HOSTNAME), $(HOSTALLOW_ADMINISTRATOR)