[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Forbidding users to run condor_reconfig



Just FYI, they will still be able to do a âcondor_reconfig -scheddâ.

 

After a brief discussion we plan to move this to ADMINISTRATOR in the next devel release.

 

 

Cheers,

-zach

 

 

On 3/28/18, 3:42 AM, "HTCondor-users on behalf of Koschmieder, Lukas" <htcondor-users-bounces@xxxxxxxxxxx on behalf of Lukas.Koschmieder@xxxxxxxxxxxxxxxxxxx> wrote:

 

Hi Zach,

 

I've just found an even better workaround:

 

ALLOW_WRITE         = condor-admin@$(UID_DOMAIN)/$(CONDOR_HOST)
ALLOW_WRITE_SCHEDD  = *.$(UID_DOMAIN)

This is basically a whitelist approach where you specify which daemons users should be allowed to have WRITE access to.

 

However, the original issue (DC_RECONFIG_FULL only requires access level WRITE) still remains. Therefore it would be nice I've you could still contact the other developers.

 

Best regards,

Lukas


From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Zach Miller <zmiller@xxxxxxxxxxx>
Sent: Tuesday, March 27, 2018 8:02:18 PM
To: HTCondor-Users Mail List
Subject: Re: [HTCondor-users] Forbidding users to run condor_reconfig

 

Hi Lukas,

I was actually just looking at this a couple weeks ago and wondering the same thing.  My feeling is it should be changed to ADMINISTRATOR.  (For example, condor_restart, or a combination of condor_off/condor_on would also cause a new config file to be used.)

I'll discuss with the other developers and see if they agree.  Thanks for the feedback.

Perhaps moving the binary into sbin instead of bin would help obfuscate, but even deleting it doesn't stop the user from downloading the tool and running it, so unfortunately I don't think there's a way to stop it without a code change.


Cheers,
-zach


> -----Original Message-----
> From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of
> Koschmieder, Lukas
> Sent: Tuesday, March 27, 2018 12:46 PM
> To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> Subject: [HTCondor-users] Forbidding users to run condor_reconfig
>
> Hi,
>
>
> On my scheduler-only node, I've set ALLOW_WRITE to *.my-local-domain in
> order for users to be able to submit jobs remotely. The problem is that
> this also allows them to run condor_reconfig because DC_RECONFIG_FULL only
> requires access level WRITE.
>
>
>
> 1.    Is there a reason why condor_reconfig doesn't require a higher
> access level such as CONFIG or ADMINISTRATOR?
> 2.    I was wondering if you could give me a hint on how to tighten up my
> config according to this issue?
>
>
> condor_config:
>
>     CONDOR_HOST         = tux201.iehk.rwth-aachen.de
>     UID_DOMAIN          = rwth-aachen.de
>
>     ALLOW_READ          = *.$(UID_DOMAIN)
>     ALLOW_WRITE         = *.$(UID_DOMAIN)
>     ALLOW_ADMINISTRATOR = condor-admin@$(UID_DOMAIN)/$(CONDOR_HOST)
>     ALLOW_CONFIG        = condor-admin@$(UID_DOMAIN)/$(CONDOR_HOST)
>     ALLOW_DAEMON        = ssl@$(UID_DOMAIN)/*.$(UID_DOMAIN)
>
> CERTIFICATE_MAPFILE:
>
>     SSL emailAddress=(.*)@(.*).rwth-aachen.de \1
>     SSL CN=(.*).rwth-aachen.de ssl
>
> MasterLog:
>
> PERMISSION GRANTED to lkosch@xxxxxxxxxxxxxx from host 137.226.130.71 for
> command 60012 (DC_RECONFIG_FULL), access level WRITE: reason: WRITE
> authorization policy allows hostname tux201.iehk.rwth-aachen.de;
> identifiers used for this remote host: 137.226.130.71,tux201.iehk.rwth-
> aachen.de
> 03/27/18
>
> Best regards,
> Lukas


_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/