[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] REQUIRE_LOCAL_CONFIG_FILE's potential security issue

On 3/30/2018 12:27 PM, pascal ebay wrote:

I have a question regarding this comment in the condor_config file that I don't understand:

##Â If the local config file is not present, is it an error? (WARNING: This is a potential security issue.)

I was wondering how the fact that allow (or not) local config files could be a security issue. If I understand correctly, any resource that is allowed to connect to the central manager is free to use any condor_config file they wish -- so why would it matter that they use a local config file or not?


When REQUIRE_LOCAL_CONFIG_FILE=False, then even if the condor_config says there is a local config file it is ok for HTCondor to run if the local config file is missing. These semantics are very convenient - "if the config_config.local file exists, then use it, and if it does not exist, then don't".

But the security worry is you may end up with a machine in your pool that has only part of the intended configuration.

This is pretty paranoid stuff, but for instance, imagine /etc/condor/condor_config has
And imagine the local config file is sitting on some shared filesystem (e.g. NFS) and contains settings that are important to the security of the system, like UID_DOMAIN. Now imagine at the time your execute node boots up, your NFS server just happens to be down. It is possible you now have a node in your HTCondor pool that is not running with the configuration you intended, which is always worrisome.