[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] ENABLE_RUNTIME_CONFIG and "potential security implications"

Sometimes the HTCondor daemons parse the config files while running as root.  and there are statements in the config file that can result in running programs, (config include statements, STARTD_CRON_*, etc) thus an attacker who can edit your config can run a program of their choice as root.


The best mitigation for this is to set the SETTABLE_ATTRS… family of options so that only configuration variables that can’t be abused in this way can be changed.  If you allow only START to be set, for instance, then there is no risk of an attacker executing arbitrary code. 


This is in addition to setting up security to prevent unauthorized users from changing the config.




From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf Of Koschmieder, Lukas
Sent: Tuesday, September 12, 2017 3:58 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] ENABLE_RUNTIME_CONFIG and "potential security implications"




Where can I find more information on the "potential security implications" mentioned in the manual on ENABLE_RUNTIME_CONFIG (see below)?


What do admins have to do in order to eliminate this vulnerability? Would it be enough to set up a SSL connection between central server and execute nodes?


The condor_config_val tool has an option -rset for dynamically setting run time configuration values, and which only affect the in-memory configuration variables. Because of the potential security implications of this feature, by default, HTCondor daemons will not honor these requests. To use this functionality, HTCondor administrators must specifically enable it by setting ENABLE_RUNTIME_CONFIG to True, and specify what configuration variables can be changed using the SETTABLE_ATTRS... family of configuration options. Defaults to False.





Lukas Koschmieder
Steel Institute IEHK
RWTH Aachen University
Intzestraße 1
52072 Aachen

Tel: +49 (0)241 80 95823
Fax: +49 (0)241 80 92253