[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] FS REMOTE with 6.8.1

Date: Mon, 09 Oct 2006 14:54:57 -0500
From: "David A. Kotz" <dkotz@xxxxxxxxxxxxx>
Subject: [Condor-users] FS REMOTE with 6.8.1

I'm about to migrate my Linux cluster (with shared NFS filesystems) from6.7.20 to 6.8.1. I want to verify my understanding of theauthentication changes and their implications before doing so.

In the past, I've put the new version of Condor in place by changing asymlink and allowing the daemons to upgrade themselves as they noticedthe new versions, which has worked pretty well. It seems that with thenew version I will have to schedule downtime and upgrade all machines atonce, but that I will not have to change anything in my Condor config.Is that correct?




From the release notes:

"Fixed a security vulnerability in Condor's FS and FS_REMOTEauthentication methods. The vulnerability allowed an attacker toimpersonate another user on the system, potentially allowing submissionof jobs as a different user. This may allow escalation to root privilegeif the Condor binaries and configuration files have improperpermissions. The fix is not backwards compatible, which means alldaemons and tools using FS authentication must be running Condor 6.8.1or greater. The same applies to FS_REMOTE; All daemons and tools usingFS_REMOTE must be using Condor 6.8.1 or greater. In practice, this meansthat for FS, all Condor binaries on one host must be version 6.8.1 orgreater, but versions can be different from host to host. For FS_REMOTEit means all binaries across all hosts must be 6.8.1 or greater."

Follow-Ups:
- Re: [Condor-users] FS REMOTE with 6.8.1
  - From: Zachary Miller

Prev by Date: Re: [Condor-users] Condor Job Success With different return value
Next by Date: Re: [Condor-users] FS REMOTE with 6.8.1
Previous by thread: Re: [Condor-users] Condor Job Success With different return value
Next by thread: Re: [Condor-users] FS REMOTE with 6.8.1
Index(es):
- Date
- Thread