[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] security problems with Condor 7.6.2



Ian,

For better or worse, "reconfig" is just a write-level command.  It does not require CONFIG or ADMINISTRATOR access.

The ability to set configuration values with condor_config_val is different.  That requires CONFIG level access.

As for why the WRITE-level authorization is being applied to the whole host ... does your configuration define HOSTALLOW_WRITE?  The HOSTALLOW settings are added to the ALLOW settings.

--Dan

On 8/15/11 10:12 AM, Smith, Ian wrote:

Dear All,

 

I’m trying to set up a new Condor central manager / submit host using v. 7.6.2 but I’m tearing my

hair out over a potential security hole. It seems that if I give ordinary users WRITE access so that

the can submit jobs then they are also capable of reconfiguring the Condor installation (bit of

a scary thought !) and there seems to be no way of preventing them from doing this without

preventing them from submitting jobs (Catch 22).

 

In my condor_config I have

 

SEC_DEFAULT_AUTHENTICATION=REQUIRED

SEC_DEFAULT_AUTHENTICATION_METHODS=FS

 

CONDOR_USERS = smithic@xxxxxxxxxxxxxxx/ulgp5.liv.ac.uk

ADMIN_USERS  = condor@xxxxxxxxxxxxxxx/ulgp5.liv.ac.uk

 

ALLOW_WRITE =  $(CONDOR_USERS), $(ADMIN_USERS)

ALLOW_ADMINISTRATOR = $(ADMIN_USERS)

ALLOW_DAEMON = $(ADMIN_USERS)

ALLOW_CONFIG = $(ADMIN_USERS)

 

(I’ve not put in the execute hosts yet – I’m trying to keep it simple to begin with).

 

When I do a condor_reconfig as a non-admin user I get see this in MasterLog

 

PERMISSION GRANTED to smithic@xxxxxxxxxxxxxxx from host 138.253.100.17

for command 60012 (DC_RECONFIG_FULL), access level WRITE: reason:

WRITE authorization policy allows IP address 138.253.100.17; identifiers used for this remote host:

138.253.100.17,ulgp5.liv.ac.uk,ulgp5

 

It seems as if the host based authorization is taking precedence over the user based authorization.

I’m wondering if this is something to do with the move to drop/discourage the use of HOSTALLOW_*

 

Any help with this would be extremely useful as I’ve been stuck on this for a week now.

 

Many thanks,

 

-ian.

....

 

Advanced Research Computing,

University of Liverpool, UK.

 

PS I’m using Scientific Linux 6.1 on an x86_64 Dell server.

 

 

 

 

 



_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/