Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] CONDOR Windows Client Security
- Date: Wed, 8 Feb 2006 12:19:45 -0000
- From: "Kewley, J \(John\)" <j.kewley@xxxxxxxx>
- Subject: Re: [Condor-users] CONDOR Windows Client Security
> Does anyone know if it is possible to submit a Condor job
> that can, for
> instance, access (read, write, modify) the various user folders under
> 'documents and settings' or other secure folders?
When I tried this out last year, it could access the "All Users" parts of
Documents and Settings. This meant it could add/remove icons to
Desktops for instance. I don't know if that was a "feature" of our security
setup, or the version of Condor I was using.
> I understand that the Condor service runs using the local
> system account
> and this obviously has elevated privileges. I have also come
> across the
> dynamically created account 'condor-reuse-vm1' (it is shown
> as disabled)
> which is a member of the local users group - is this the account that
> Condor actually uses to run jobs locally??
I believe so, unless you tell Condor to use a particular named a/c.
> Is it possible for a Condor job to perhaps add the 'condor-reuse-vm1'
> user account to the local admin group and then obviously be
> potentially
> able to access all folders and files?
I suspect that if a Condor job (running as condor-reuse-vm1) could amend
local admin groups, then it already has sufficient permissions to do damage
and there would be something wrong with your basic permissions. Condor jobs run at
a low privilege, lower than someone logged on directly to that machine (who of course
can usually amend "All Users" things as described above). While the Condor service
may have additional privileges, the Job will not.
They cannot access user's personal information UNLESS they would be able to access
it by logging directly onto that machine (ie user has put stuff in non-account
restricted areas, like a 2nd partitition, or outside Documents and Settings).
> We are guessing not, but it would be good to have a
> definitive answer on
> this and thus put our users minds at rest.
This is NOT a definitive answer, but I don't think I am too far off the mark.
Condor is an excellent way of utilising spare resources, but you do need to understand
the security implications.
JK