[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] CONDOR Windows Client Security
- Date: Wed, 8 Feb 2006 16:40:08 +0200
- From: Maxim Kovgan <maxim.kvg@xxxxxxxxx>
- Subject: Re: [Condor-users] CONDOR Windows Client Security
On 2/8/06, Gregory Regan <gregory.regan@xxxxxxxxxxxxxx> wrote:
> We are currently setting up a Condor Grid to utilise the spare capacity
> of our staff and student PCs and the question of security has been
> Does anyone know if it is possible to submit a Condor job that can, for
> instance, access (read, write, modify) the various user folders under
> 'documents and settings' or other secure folders?
yes, if user under which condor runs has permissions for that.
> I understand that the Condor service runs using the local system account
> and this obviously has elevated privileges. I have also come across the
> dynamically created account 'condor-reuse-vm1' (it is shown as disabled)
> which is a member of the local users group - is this the account that
> Condor actually uses to run jobs locally??
If you do nothing for securing windows, you might end up with all
users running as Adminstrators, in which case, well, don't blame
condor. But, if you limit users ( and groups like Users, Everyone etc.
) to be able to live only in a limited environment, The opposite is
you should refer to this:
namely chapter: 6.2.4 (Security Considerations in Condor for Windows)
and, of course http://www.cs.wisc.edu/condor/manual/v6.7/3_7Security.html#sec:RunAsNobody
It answers your questions.
> Is it possible for a Condor job to perhaps add the 'condor-reuse-vm1'
> user account to the local admin group and then obviously be potentially
> able to access all folders and files?
> We are guessing not, but it would be good to have a definitive answer on
> this and thus put our users minds at rest.
> Many thanks in advance.
> Gregory Regan
> Principal Computing Officer
> University of Plymouth
> Drake Circus
> PL4 8AA
> Tel: 01752 233930
> Fax: 01752 233839
> Mob: 07974 248036
> E-mail: gregory.regan@xxxxxxxxxxxxxx
> Condor-users mailing list