[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] Two issues for Quill administrators

We'd like to call your attention to two Quill issues. This information
was also posted on the "News" section of the Condor web page.

When quill was first developed, it was designed to work with older versions
of the postgres database server.  Newer versions of postgres have stronger
security features, which can be enabled in the postgres configuration,
requiring no changes to the quill daemon.  We recommend that all quill sites
upgrade to the latest version of postgres (8.2), and make these easy
changes to their postgres configuration.  The consequences of not doing so
mean that any user who can sniff the network between the quill daemon
and the postgres server can obtain the quill database password, and make
changes to the quill database.  This can change the output of condor_q
and condor_history, but CANNOT otherwise impact condor's correctness or
security.  Otherwise unauthorized users cannot use this database password
to run jobs or mutate Condor's configuration.

A second problem with the previously recommended configuration was
that any user with the publicly-available read-only quill postgres
password could create new tables in the database and store information 
While this doesn't effect the running of condor in any way, sites may
view that as a security problem.

As of Condor 6.8.6 and 6.9.4, the condor manual has been updated to
describe the more secure installation of postgres, which remedy both
of the above problems.  These changes include the following:

Change the authentication method (the final field) in the pg_hba.conf file
from "password" to "md5".  Restarting postgres is then needed for this
to take effect.

Only allow the quillwriter account to create tables.  To do this, run the
following two SQL commands as the database owner.


GRANT CREATE on SCHEMA public to quillwriter;

New Quill installs with 6.8.6 will automatically apply these two commands.
(It is undecided if upgrades to 6.8.6 will apply them.)

As always, please contact us at condor-admin@xxxxxxxxxxx with any questions
or concerns.  Thanks!