[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Forbidding users to run condor_reconfig

Hi Lukas,

I was actually just looking at this a couple weeks ago and wondering the same thing.  My feeling is it should be changed to ADMINISTRATOR.  (For example, condor_restart, or a combination of condor_off/condor_on would also cause a new config file to be used.)

I'll discuss with the other developers and see if they agree.  Thanks for the feedback.

Perhaps moving the binary into sbin instead of bin would help obfuscate, but even deleting it doesn't stop the user from downloading the tool and running it, so unfortunately I don't think there's a way to stop it without a code change.


> -----Original Message-----
> From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of
> Koschmieder, Lukas
> Sent: Tuesday, March 27, 2018 12:46 PM
> To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> Subject: [HTCondor-users] Forbidding users to run condor_reconfig
> Hi,
> On my scheduler-only node, I've set ALLOW_WRITE to *.my-local-domain in
> order for users to be able to submit jobs remotely. The problem is that
> this also allows them to run condor_reconfig because DC_RECONFIG_FULL only
> requires access level WRITE.
> 1.	Is there a reason why condor_reconfig doesn't require a higher
> access level such as CONFIG or ADMINISTRATOR?
> 2.	I was wondering if you could give me a hint on how to tighten up my
> config according to this issue?
> condor_config:
>     CONDOR_HOST         = tux201.iehk.rwth-aachen.de
>     UID_DOMAIN          = rwth-aachen.de
>     ALLOW_READ          = *.$(UID_DOMAIN)
>     ALLOW_WRITE         = *.$(UID_DOMAIN)
>     ALLOW_CONFIG        = condor-admin@$(UID_DOMAIN)/$(CONDOR_HOST)
>     ALLOW_DAEMON        = ssl@$(UID_DOMAIN)/*.$(UID_DOMAIN)
>     SSL emailAddress=(.*)@(.*).rwth-aachen.de \1
>     SSL CN=(.*).rwth-aachen.de ssl
> MasterLog:
> PERMISSION GRANTED to lkosch@xxxxxxxxxxxxxx from host for
> command 60012 (DC_RECONFIG_FULL), access level WRITE: reason: WRITE
> authorization policy allows hostname tux201.iehk.rwth-aachen.de;
> identifiers used for this remote host:,tux201.iehk.rwth-
> aachen.de
> 03/27/18
> Best regards,
> Lukas