[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Mounting network resources in Windows



On 1/19/07, Buhl, Marshall <Marshall_Buhl@xxxxxxxx> wrote:
Hi,

I thought I would share a fairly simple, and reasonably secure,
technique

Whilst not wanting to denigrate your efforts nor discourage sharing
them with the community I should point out that this security through
obscurity is in not significantly more secure than passing them as
plain text and users should not kid themselves that this is the case.

To evesdroppers this is roughly equivalent to putting bit of
(consistent) junk in between the user/password components which you
could do in the batch file if you wanted. In fact based on how many
compiled programs operate the string literals could all be relocated
into contiguous locations thus rendering even that step pointless.

If you believe the network your farm operates on is not secure from
snooping and this is a worry then you should move to 6.8 with genuine
encryption on the creddential passing which allows running as the
submitting user or comparable equivalent.

As a side note there is no need to transfer the net executable so long
as the executing condor user has rights to run the net command in the
system directory. Win2003 does not allow this by default for low
priviledge users. Explictly adding permission to the users that condor
executes as without runas behaviour is a sensible solution. If you use
runas then it is assumed that the users have the relevant permissions
if you want them to. Obviously if you are executing on machines which
are cycle stealing where you do not have admin control in the same way
then passing the executable is a solution.

Matt