[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor_ssh_to_job

On 8/13/2014 8:13 AM, Keith Brown wrote:
> there must be a way for an administrator to control access to
> condor_ssh_job.

Not really. Condor allows users to run arbitrary code. Regardless of
what you do they can run a version of the same thing that doesn't have
your restrictions.

On 8/13/2014 9:55 AM, Brian Bockelman wrote:
> Point of note - I don't think one can escape the chroot jail
> that HTCondor provides.

In practice, local privilege escalation is pretty easy when you can run
arbitrary code. If you can exploit vulnerability and get UID 0 then you
can escape the jail.

You're right, though. If you trust your users enough to use the pool
then you can't be looking at locking down what they can do. That's
futile. Your time and energy would be better spent implementing a
monitoring system that can identify misuse and abuse. When you identify
users misusing or abusing the pool you can bring down the ban-hammer
courtesy of your site's acceptable use policies.

Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science