[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] SSL authentication problem

> > PS I'm still at loss to see what is stopping malicious users just  
> > copying
> > the host cert elsewhere. Unless it can be made readable only by the  
> > Condor
> > processes under Windows ??
> I believe that it can be.  Condor processes usually run as 'system' so  
> if you configure your permissions so that only 'system' and  
> administrators can access 'c:\condor\ssl', the users shouldn't be able  
> to access those files, but the Condor daemons should be able to.

I can confirm that it is indeed the case. In our case we modified the ACLs on
the directory by removing all access to the "Everyone" built-in group, but
leaving access to the Administrators group. This effectively avoids having
users copying around SSL certificates.

We also have a similar setup under Linux, where the directory containing the
certificates belongs to the "condor" user and group.