[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] FS REMOTE with 6.8.1



I'm about to migrate my Linux cluster (with shared NFS filesystems) from 6.7.20 to 6.8.1. I want to verify my understanding of the authentication changes and their implications before doing so.

In the past, I've put the new version of Condor in place by changing a symlink and allowing the daemons to upgrade themselves as they noticed the new versions, which has worked pretty well. It seems that with the new version I will have to schedule downtime and upgrade all machines at once, but that I will not have to change anything in my Condor config. Is that correct?



From the release notes:

"Fixed a security vulnerability in Condor's FS and FS_REMOTE authentication methods. The vulnerability allowed an attacker to impersonate another user on the system, potentially allowing submission of jobs as a different user. This may allow escalation to root privilege if the Condor binaries and configuration files have improper permissions. The fix is not backwards compatible, which means all daemons and tools using FS authentication must be running Condor 6.8.1 or greater. The same applies to FS_REMOTE; All daemons and tools using FS_REMOTE must be using Condor 6.8.1 or greater. In practice, this means that for FS, all Condor binaries on one host must be version 6.8.1 or greater, but versions can be different from host to host. For FS_REMOTE it means all binaries across all hosts must be 6.8.1 or greater."