Steve Traylen wrote:
> A delegated one which is not accepeted at the GK.
I believed that delegated credentials *are* accepted by Globus
gatekeepers, just as they are by GridFTP servers and other GSI-secured
systems. However, I would want to check before making any authoritative
statements.
> No nor does mine, the question still stands, what can one do with a valid
> GSI credential and an entry in the grid-mapfile compared to someone with
> a valid password or installed key file and entry in the passwd file.
Nothing. There is no difference in terms of the capabilities granted to
the user -- but I wasn't trying to imply that there was.
> You are suggesting
> [jobmanager-fork] is inherently weaker by design though [than SSH] for
> some reason.
No, that's not what I'm trying to say. What I'm trying to say is that,
because of this bug, my ability to strictly limit the set of people who
can execute untrusted code on my CE is compromised.
To remain an operational site, I am required to allow any external user
to execute any arbitrary code they want on my frontend node, outside of
normal accounting and sandboxing controls on my SGE cluster. This is a
clear violation of the Principle of Least Priviledge and a dangerous
security bug.
Thus, if we adopt the policy that no critical test may depend on a
software component or service with known unresolved security issues,
then the job-submission test would need to be marked as "non-critical".
This was the main point I was trying to make. I hope I have resolved
any confusion.
Cheers,
David
--
David McBride <[log in to unmask]>
Department of Computing, Imperial College, London
|