[Condor-users] condor security again

["Dr Ian C. Smith" <i.c.smith@xxxxxxxxxxxxxxx>]

This follows up the earlier authorization thread
which seems to have gone a bit cold. I've been
having a look at the Condor configuration model
again and there seems to be no way
of enforcing a policy that execute hosts cannot be
used (potentially) as submit hosts without having
strong user authentication. If a rogue user
could install a client on an execute host it could then
be used to submit jobs (nasty!). My thinking is this:

An execute host requires an entry in HOSTALLOW_READ
and HOSTALLOW_WRITE in the central manager
config file but these are also the same requirements
as a submit host.

The collector receives job classads on the same port
as the machine classads with the only difference
between them being the classad type.

I'm hoping someone out there will find a flaw in this
reasoning ! This was raised previously in

https://lists.cs.wisc.edu/archive/condor-users/2005-September/msg00080.shtml

but the answers seemed a bit vague.

Using firewalls to enforce the policy also looks difficult
because as far as I can see neither the submit host or execute hosts
use well known ports.

regards,

-ian.