LHC Computer Grid - Rollout
> [mailto:[log in to unmask]] On Behalf Of Kyriakos G. Ginis
said:
> Keep in mind that globus-job-run could also be used in a malicious way
> on your CE (and perhaps is more dangerous than gsiftp), so I
> doubt if by
> disabling globus-gridftp on the CE you are actually increasing its
> security.
Not entirely true, a hacker only needs a restricted proxy (e.g. stolen
from a WN) to use gridftp, but you need a full proxy for globus-job-run.
Also of course more servers means more potential holes of any kind.
> Futhermore I have the suspicion that the following monitor
> uses globus-url-copy and will not function if globus-gridftp
> is disabled
> on the CEs:
>
> http://goc.grid-support.ac.uk/gppmonWorld/cert_maps/CE.html
I don't know what it actually does, but it should be able to get the
host certificate information from any secure service.
Stephen
|