condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of
Sent: 15 August 2011 16:32
Subject: Re: [Condor-users] security problems with Condor 7.6.2
For better or worse, "reconfig" is just a write-level command. It does not require CONFIG or ADMINISTRATOR access.
The ability to set configuration values with condor_config_val is different. That requires CONFIG level access.
As for why the WRITE-level authorization is being applied to the whole host ... does your configuration define HOSTALLOW_WRITE? The HOSTALLOW settings are added to the ALLOW settings.
On 8/15/11 10:12 AM, Smith, Ian wrote:
I’m trying to set up a new Condor central manager / submit host using v. 7.6.2 but I’m tearing my
hair out over a potential security hole. It seems that if I give ordinary users WRITE access so that
the can submit jobs then they are also capable of reconfiguring the Condor installation (bit of
a scary thought !) and there seems to be no way of preventing them from doing this without
preventing them from submitting jobs (Catch 22).
In my condor_config I have
ALLOW_WRITE = $(CONDOR_USERS), $(ADMIN_USERS)
ALLOW_ADMINISTRATOR = $(ADMIN_USERS)
ALLOW_DAEMON = $(ADMIN_USERS)
ALLOW_CONFIG = $(ADMIN_USERS)
(I’ve not put in the execute hosts yet – I’m trying to keep it simple to begin with).
When I do a condor_reconfig as a non-admin user I get see this in MasterLog
PERMISSION GRANTED to
smithic@xxxxxxxxxxxxxxx from host 126.96.36.199
for command 60012 (DC_RECONFIG_FULL), access level WRITE: reason:
WRITE authorization policy allows IP address 188.8.131.52; identifiers used for this remote host:
It seems as if the host based authorization is taking precedence over the user based authorization.
I’m wondering if this is something to do with the move to drop/discourage the use of HOSTALLOW_*
Any help with this would be extremely useful as I’ve been stuck on this for a week now.
Advanced Research Computing,
University of Liverpool, UK.
PS I’m using Scientific Linux 6.1 on an x86_64 Dell server.
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
You can also unsubscribe by visiting
The archives can be found at: