[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] SSL authentication problem
> > PS I'm still at loss to see what is stopping malicious users just
> > copying
> > the host cert elsewhere. Unless it can be made readable only by the
> > Condor
> > processes under Windows ??
> I believe that it can be. Condor processes usually run as 'system' so
> if you configure your permissions so that only 'system' and
> administrators can access 'c:\condor\ssl', the users shouldn't be able
> to access those files, but the Condor daemons should be able to.
I can confirm that it is indeed the case. In our case we modified the ACLs on
the directory by removing all access to the "Everyone" built-in group, but
leaving access to the Administrators group. This effectively avoids having
users copying around SSL certificates.
We also have a similar setup under Linux, where the directory containing the
certificates belongs to the "condor" user and group.