[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] ENABLE_RUNTIME_CONFIG and "potential security implications"



Hi Zach,


Thank you for the quick reply.


By the way, I've noticed that you have to restart your Condor deamons in order to change ENABLE_RUNTIME_CONFIG. condor_reconfig is not enough. The same applies to ENABLE_PERSISTENT_CONFIG. This unique behavior is documented in the source code (see below) but it seem to be missing in the user docs. Or at least, I can't find a corresponding remark in the corresponding section http://research.cs.wisc.edu/htcondor/manual/v8.4/3_3Configuration.html#SECTION00434000000000000000.


It would be very helpful if we could attach a short sentence such as "Requires restart." to corresponding descriptions. Could I update the docs by myself in your GitHub repo, or is this something that you guys would have to do?


https://github.com/htcondor/htcondor/blob/master/src/condor_utils/condor_config.cpp  (Line 2983)


/*
  we want these two bools to be global, and only initialized on
  startup, so that folks can't play tricks and change these
  dynamically.  for example, if a site enables runtime but not
  persistent configs, we can't allow someone to set
  "ENABLE_PERSISTENT_CONFIG" with a condor_config_val -rset.
  therefore, we only read these once, before we look at any of the
  dynamic config source, to make sure we're happy.  this means it
  requires a restart to change any of these, but i think that's a
  reasonable burden on admins, considering the potential security
  implications.  -derek 2006-03-17
*/

Thanks again and regards,

Lukas


--
Lukas Koschmieder
Steel Institute IEHK
RWTH Aachen University
Intzestraße 1
52072 Aachen
Germany

Tel: +49 (0)241 80 95823
Fax: +49 (0)241 80 92253
lukas.koschmieder@xxxxxxxxxxxxxxxxxxx
lukas.koschmieder@xxxxxxxxxxxxxxxxxxx
lukas.koschmieder@xxxxxxxxxxxxxx
http://www.iehk.rwth-aachen.de
http://www.icme.rwth-aachen.de
http://aixvipmap.rwth-aachen.de


From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Zach Miller <zmiller@xxxxxxxxxxx>
Sent: Tuesday, September 12, 2017 4:51:32 PM
To: HTCondor-Users Mail List
Subject: Re: [HTCondor-users] ENABLE_RUNTIME_CONFIG and "potential security implications"
 
The "potential security implications" are referring to the fact that someone could set these remotely without authentication.  So, yes, setting up SSL for HTCondor would do the trick. 

High-level steps:

1) Install SSL certs (and the CA/signing cert) on the central manager and execute nodes.

2) Set the AUTH_SSL_CLIENT_* and AUTH_SSL_SERVER_* condor_config entries.

3) Add SSL to your list of authentication methods for "CONFIG"-level commands.

We have a recipe for setting up SSL for DAEMON-level (and NEGOTIATOR-level) commands, which you might find handy:
        https://htcondor-wiki.cs.wisc.edu/index.cgi/wiki?p=HowToEnableSsl

However, we don't yet have one specifically for using the client tools to issue commands to daemons (such as condor_config_val -rset).

If you become stuck at all, please let me know and I can spend a little time putting together a real recipe.


Cheers,
-zach


> -----Original Message-----
> From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf
> Of Koschmieder, Lukas
> Sent: Tuesday, September 12, 2017 3:58 AM
> To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> Subject: [HTCondor-users] ENABLE_RUNTIME_CONFIG and "potential security
> implications"
>
> Hi,
>
>
> Where can I find more information on the "potential security implications"
> mentioned in the manual on ENABLE_RUNTIME_CONFIG (see below)?
>
>
>
> What do admins have to do in order to eliminate this vulnerability? Would
> it be enough to set up a SSL connection between central server and execute
> nodes?
>
>
>
> ENABLE_RUNTIME_CONFIG
> The condor_config_val tool has an option -rset for dynamically setting run
> time configuration values, and which only affect the in-memory
> configuration variables. Because of the potential security implications of
> this feature, by default, HTCondor daemons will not honor these requests.
> To use this functionality, HTCondor administrators must specifically enable
> it by setting ENABLE_RUNTIME_CONFIG to True, and specify what configuration
> variables can be changed using the SETTABLE_ATTRS... family of
> configuration options. Defaults to False.
>
>
>
> http://research.cs.wisc.edu/htcondor/manual/v8.4/3_3Configuration.html
> <http://research.cs.wisc.edu/htcondor/manual/v8.4/3_3Configuration.html>
>
>
> Regards,
> Lukas
>
>
> --
> Lukas Koschmieder
> Steel Institute IEHK
> RWTH Aachen University
> Intzestraße 1
> 52072 Aachen
> Germany
>
> Tel: +49 (0)241 80 95823
> Fax: +49 (0)241 80 92253
> lukas.koschmieder@xxxxxxxxxxxxxxxxxxx
> lukas.koschmieder@xxxxxxxxxxxxxxxxxxx
> lukas.koschmieder@xxxxxxxxxxxxxx
> http://www.iehk.rwth-aachen.de
> http://www.icme.rwth-aachen.de
> http://aixvipmap.rwth-aachen.de
>


_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/