Re: [HTCondor-users] REQUIRE_LOCAL_CONFIG_FILE's potential security issue

[Todd Tannenbaum <tannenba@xxxxxxxxxxx>]

On 3/30/2018 12:27 PM, pascal ebay wrote:
> Hello,
>
> I have a question regarding this comment in the condor_config file that 
> I don't understand:
> ##Â If the local config file is not present, is it an error? (WARNING: 
> This is a potential security issue.)
> #REQUIRE_LOCAL_CONFIG_FILE = true
>
> I was wondering how the fact that allow (or not) local config files 
> could be a security issue. If I understand correctly, any resource that 
> is allowed to connect to the central manager is free to use any 
> condor_config file they wish -- so why would it matter that they use a 
> local config file or not?
> Regards
> Pascal
When REQUIRE_LOCAL_CONFIG_FILE=False, then even if the condor_config 
says there is a local config file it is ok for HTCondor to run if the 
local config file is missing.  These semantics are very convenient - "if 
the config_config.local file exists, then use it, and if it does not 
exist, then don't".
But the security worry is you may end up with a machine in your pool 
that has only part of the intended configuration.
This is pretty paranoid stuff, but for instance, imagine 
/etc/condor/condor_config has
   LOCAL_CONFIG_FILE=/some/nfsmount/configs/condor_config.myhost.local
And imagine the local config file is sitting on some shared filesystem 
(e.g. NFS) and contains settings that are important to the security of 
the system, like UID_DOMAIN.  Now imagine at the time your execute node 
boots up, your NFS server just happens to be down.  It is possible you 
now have a node in your HTCondor pool that is not running with the 
configuration you intended, which is always worrisome.
regards,
Todd