[HTCondor-users] Forbidding users to run condor_reconfig

["Koschmieder, Lukas" <Lukas.Koschmieder@xxxxxxxxxxxxxxxxxxx>]

Hi,

On my scheduler-only node, I've set ALLOW_WRITE to *.my-local-domain in order for users to be able to submit jobs remotely. The problem is that this also allows them to run condor_reconfig because DC_RECONFIG_FULL only requires access level WRITE.

1. Is there a reason why condor_reconfig doesn't require a higher access level such as CONFIG or ADMINISTRATOR?
2. I was wondering if you could give me a hint on how to tighten up my config according to this issue?

condor_config:

    CONDOR_HOST         = tux201.iehk.rwth-aachen.de
    UID_DOMAIN          = rwth-aachen.de

    ALLOW_READ          = *.$(UID_DOMAIN)
    ALLOW_WRITE         = *.$(UID_DOMAIN)
    ALLOW_ADMINISTRATOR = condor-admin@$(UID_DOMAIN)/$(CONDOR_HOST)
    ALLOW_CONFIG        = condor-admin@$(UID_DOMAIN)/$(CONDOR_HOST)
    ALLOW_DAEMON        = ssl@$(UID_DOMAIN)/*.$(UID_DOMAIN)

CERTIFICATE_MAPFILE:

    SSL emailAddress=(.*)@(.*).rwth-aachen.de \1
    SSL CN=(.*).rwth-aachen.de ssl

MasterLog:

PERMISSION GRANTED to lkosch@xxxxxxxxxxxxxx from host 137.226.130.71 for command 60012 (DC_RECONFIG_FULL), access level WRITE: reason: WRITE authorization policy allows hostname tux201.iehk.rwth-aachen.de; identifiers used for this remote host: 137.226.130.71,tux201.iehk.rwth-aachen.de
03/27/18

Best regards,
Lukas