Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] ENABLE_RUNTIME_CONFIG and "potential security implications"
- Date: Tue, 12 Sep 2017 15:29:33 +0000
- From: Zach Miller <zmiller@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] ENABLE_RUNTIME_CONFIG and "potential security implications"
If your changes would be more extensive than adding a "these two settings require restart", you can definitely update the docs in github and send us a pull request.
However, if you do we would then need you to send us a completed "Contributor License Agreement". If you're still interested, contact me off-list and I'll help you out with that. If that's more hassle than you're looking for, let me know and we can just update those two items ourselves.
In either case, thanks!
Cheers,
-zach
> -----Original Message-----
> From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf
> Of Koschmieder, Lukas
> Sent: Tuesday, September 12, 2017 10:18 AM
> To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> Subject: Re: [HTCondor-users] ENABLE_RUNTIME_CONFIG and "potential security
> implications"
>
> Hi Zach,
>
>
>
>
> Thank you for the quick reply.
>
>
>
>
>
> By the way, I've noticed that you have to restart your Condor deamons in
> order to change ENABLE_RUNTIME_CONFIG. condor_reconfig is not enough. The
> same applies to ENABLE_PERSISTENT_CONFIG. This unique behavior is
> documented in the source code (see below) but it seem to be missing in the
> user docs. Or at least, I can't find a corresponding remark in the
> corresponding section
> http://research.cs.wisc.edu/htcondor/manual/v8.4/3_3Configuration.html#SECT
> ION00434000000000000000
> <http://research.cs.wisc.edu/htcondor/manual/v8.4/3_3Configuration.html#SEC
> TION00434000000000000000> .
>
>
>
>
>
> It would be very helpful if we could attach a short sentence such as
> "Requires restart." to corresponding descriptions. Could I update the docs
> by myself in your GitHub repo, or is this something that you guys would
> have to do?
>
>
>
>
>
> https://github.com/htcondor/htcondor/blob/master/src/condor_utils/condor_co
> nfig.cpp
> <https://github.com/htcondor/htcondor/blob/master/src/condor_utils/condor_c
> onfig.cpp> (Line 2983)
>
>
>
>
> /*
> we want these two bools to be global, and only initialized on
> startup, so that folks can't play tricks and change these
> dynamically. for example, if a site enables runtime but not
> persistent configs, we can't allow someone to set
> "ENABLE_PERSISTENT_CONFIG" with a condor_config_val -rset.
> therefore, we only read these once, before we look at any of the
> dynamic config source, to make sure we're happy. this means it
> requires a restart to change any of these, but i think that's a
> reasonable burden on admins, considering the potential security
> implications. -derek 2006-03-17
> */
> <https://github.com/htcondor/htcondor/blob/master/src/condor_utils/condor_c
> onfig.cpp>
>
>
> Thanks again and regards,
>
> Lukas
>
>
>
>
> --
> Lukas Koschmieder
> Steel Institute IEHK
> RWTH Aachen University
> Intzestraße 1
> 52072 Aachen
> Germany
>
> Tel: +49 (0)241 80 95823
> Fax: +49 (0)241 80 92253
> lukas.koschmieder@xxxxxxxxxxxxxxxxxxx
> lukas.koschmieder@xxxxxxxxxxxxxxxxxxx
> lukas.koschmieder@xxxxxxxxxxxxxx
> http://www.iehk.rwth-aachen.de
> http://www.icme.rwth-aachen.de
> http://aixvipmap.rwth-aachen.de
>
>
> ________________________________
>
> From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Zach
> Miller <zmiller@xxxxxxxxxxx>
> Sent: Tuesday, September 12, 2017 4:51:32 PM
> To: HTCondor-Users Mail List
> Subject: Re: [HTCondor-users] ENABLE_RUNTIME_CONFIG and "potential security
> implications"
>
> The "potential security implications" are referring to the fact that
> someone could set these remotely without authentication. So, yes, setting
> up SSL for HTCondor would do the trick.
>
> High-level steps:
>
> 1) Install SSL certs (and the CA/signing cert) on the central manager and
> execute nodes.
>
> 2) Set the AUTH_SSL_CLIENT_* and AUTH_SSL_SERVER_* condor_config entries.
>
> 3) Add SSL to your list of authentication methods for "CONFIG"-level
> commands.
>
> We have a recipe for setting up SSL for DAEMON-level (and NEGOTIATOR-level)
> commands, which you might find handy:
> https://htcondor-wiki.cs.wisc.edu/index.cgi/wiki?p=HowToEnableSsl
> <https://htcondor-wiki.cs.wisc.edu/index.cgi/wiki?p=HowToEnableSsl>
>
> However, we don't yet have one specifically for using the client tools to
> issue commands to daemons (such as condor_config_val -rset).
>
> If you become stuck at all, please let me know and I can spend a little
> time putting together a real recipe.
>
>
> Cheers,
> -zach
>
>
> > -----Original Message-----
> > From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On
> Behalf
> > Of Koschmieder, Lukas
> > Sent: Tuesday, September 12, 2017 3:58 AM
> > To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> > Subject: [HTCondor-users] ENABLE_RUNTIME_CONFIG and "potential security
> > implications"
> >
> > Hi,
> >
> >
> > Where can I find more information on the "potential security
> implications"
> > mentioned in the manual on ENABLE_RUNTIME_CONFIG (see below)?
> >
> >
> >
> > What do admins have to do in order to eliminate this vulnerability? Would
> > it be enough to set up a SSL connection between central server and
> execute
> > nodes?
> >
> >
> >
> > ENABLE_RUNTIME_CONFIG
> > The condor_config_val tool has an option -rset for dynamically setting
> run
> > time configuration values, and which only affect the in-memory
> > configuration variables. Because of the potential security implications
> of
> > this feature, by default, HTCondor daemons will not honor these requests.
> > To use this functionality, HTCondor administrators must specifically
> enable
> > it by setting ENABLE_RUNTIME_CONFIG to True, and specify what
> configuration
> > variables can be changed using the SETTABLE_ATTRS... family of
> > configuration options. Defaults to False.
> >
> >
> >
> > http://research.cs.wisc.edu/htcondor/manual/v8.4/3_3Configuration.html
> <http://research.cs.wisc.edu/htcondor/manual/v8.4/3_3Configuration.html>
> > <http://research.cs.wisc.edu/htcondor/manual/v8.4/3_3Configuration.html>
> >
> >
> > Regards,
> > Lukas
> >
> >
> > --
> > Lukas Koschmieder
> > Steel Institute IEHK
> > RWTH Aachen University
> > Intzestraße 1
> > 52072 Aachen
> > Germany
> >
> > Tel: +49 (0)241 80 95823
> > Fax: +49 (0)241 80 92253
> > lukas.koschmieder@xxxxxxxxxxxxxxxxxxx
> > lukas.koschmieder@xxxxxxxxxxxxxxxxxxx
> > lukas.koschmieder@xxxxxxxxxxxxxx
> > http://www.iehk.rwth-aachen.de
> > http://www.icme.rwth-aachen.de
> > http://aixvipmap.rwth-aachen.de
> >
>
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/