[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] condor_ssh_to_job
- Date: Wed, 13 Aug 2014 11:58:37 -0400
- From: Rich Pieri <ratinox@xxxxxxx>
- Subject: Re: [HTCondor-users] condor_ssh_to_job
On 8/13/2014 8:13 AM, Keith Brown wrote:
> there must be a way for an administrator to control access to
Not really. Condor allows users to run arbitrary code. Regardless of
what you do they can run a version of the same thing that doesn't have
On 8/13/2014 9:55 AM, Brian Bockelman wrote:
> Point of note - I don't think one can escape the chroot jail
> that HTCondor provides.
In practice, local privilege escalation is pretty easy when you can run
arbitrary code. If you can exploit vulnerability and get UID 0 then you
can escape the jail.
You're right, though. If you trust your users enough to use the pool
then you can't be looking at locking down what they can do. That's
futile. Your time and energy would be better spent implementing a
monitoring system that can identify misuse and abuse. When you identify
users misusing or abusing the pool you can bring down the ban-hammer
courtesy of your site's acceptable use policies.
Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science