I’m trying to set up a new Condor central
manager / submit host using v. 7.6.2 but I’m tearing my
hair out over a potential security hole. It
seems that if I give ordinary users WRITE access so that
the can submit jobs then they are also
capable of reconfiguring the Condor installation (bit of
a scary thought !) and there seems to be no
way of preventing them from doing this without
preventing them from submitting jobs (Catch
In my condor_config I have
ALLOW_WRITE = $(CONDOR_USERS),
ALLOW_ADMINISTRATOR = $(ADMIN_USERS)
ALLOW_DAEMON = $(ADMIN_USERS)
ALLOW_CONFIG = $(ADMIN_USERS)
(I’ve not put in the execute hosts yet –
I’m trying to keep it simple to begin with).
When I do a condor_reconfig as a non-admin
user I get see this in MasterLog
PERMISSION GRANTED to
smithic@xxxxxxxxxxxxxxx from host 184.108.40.206
for command 60012 (DC_RECONFIG_FULL),
access level WRITE: reason:
WRITE authorization policy allows IP
address 220.127.116.11; identifiers used for this remote host:
It seems as if the host based authorization
is taking precedence over the user based authorization.
I’m wondering if this is something to do
with the move to drop/discourage the use of HOSTALLOW_*
Any help with this would be extremely
useful as I’ve been stuck on this for a week now.
Advanced Research Computing,
University of Liverpool, UK.
PS I’m using Scientific Linux 6.1 on an
x86_64 Dell server.