[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] security problems with Condor 7.6.2

Dear All,


I’m trying to set up a new Condor central manager / submit host using v. 7.6.2 but I’m tearing my

hair out over a potential security hole. It seems that if I give ordinary users WRITE access so that

the can submit jobs then they are also capable of reconfiguring the Condor installation (bit of

a scary thought !) and there seems to be no way of preventing them from doing this without

preventing them from submitting jobs (Catch 22).


In my condor_config I have





CONDOR_USERS = smithic@xxxxxxxxxxxxxxx/ulgp5.liv.ac.uk

ADMIN_USERS  = condor@xxxxxxxxxxxxxxx/ulgp5.liv.ac.uk







(I’ve not put in the execute hosts yet – I’m trying to keep it simple to begin with).


When I do a condor_reconfig as a non-admin user I get see this in MasterLog


PERMISSION GRANTED to smithic@xxxxxxxxxxxxxxx from host

for command 60012 (DC_RECONFIG_FULL), access level WRITE: reason:

WRITE authorization policy allows IP address; identifiers used for this remote host:,ulgp5.liv.ac.uk,ulgp5


It seems as if the host based authorization is taking precedence over the user based authorization.

I’m wondering if this is something to do with the move to drop/discourage the use of HOSTALLOW_*


Any help with this would be extremely useful as I’ve been stuck on this for a week now.


Many thanks,





Advanced Research Computing,

University of Liverpool, UK.


PS I’m using Scientific Linux 6.1 on an x86_64 Dell server.