Hello,
good point, as far as my french goes, can you repeat it in english? :)
thanks
cheers
alessandra
On Tue, 15 Nov 2005, David WEISSENBACH wrote:
> Salut Eric,
>
> Je me spose la question suivante en lisant ce thread :
> De toutes facons, un utilisateur qcq peut toujours dans
> son job lancer autant de process qu'il vaut sur le CE via
> SSH vue la configuration dudit CE (en conséquence a fortiori
> comme dit)
>
> Alors pourquoi le jobmanager fork fait il tant de vagues ?
>
> A+
> David
>
> On Tuesday 15 November 2005 17:06, you wrote:
>> Hi
>>
>> Dr D J Colling wrote:
>>> Hi Dave,
>>>
>>> I do see your point.
>>>
>>> Just a couple of points.
>>>
>>> 1. Of course anybody could perform the DoS attack you suggest, but you
>>> would know who they were as their DN would be logged as they would have
>>> gone through the same level of security as anybody running in the batch
>>> queue.
>>
>> Not really, somebody running a job on a WN ( via batch queue) can only
>> overload the WN, if somebody overload the gatekeeper, all the grid node
>> shutdown.
>> The level of security inside the hosts which provide the grids services
>> have to be higher
>>
>> Eric
>>
>>> 2. It is avery useful debugging tool and that should not be under
>>> estimated.
>>>
>>> All the best,
>>> david
>>>
>>> On Tue, 15 Nov 2005, David McBride wrote:
>>>> Alessandra Forti wrote:
>>>>> for me fork manager is a useful tool for who has to debug a possible
>>>>> misconfiguration from remote. You might not need it but I don't think we
>>>>> should get rid of it in general.
>>>>
>>>> That may well be the case, and I appreciate that you would try to use
>>>> this facility responsibly -- but I consider this an enormous security
>>>> risk.
>>>>
>>>> As it currently stands, any LCG user can run any abitrary executable
>>>> they want on my CE -- hundreds of instances at once, if they so desired
>>>> -- and DoS it into oblivion. Without accounting, without queueing, and
>>>> without any of the safeguards implemented on my worker nodes, any Grid
>>>> user can fork as many processes that they want on my gatekeeper and do
>>>> lots of bad things.
>>>>
>>>> This is clearly a BUG, not a feature, and _MUST_ be disabled.
>>>>
>>>> Dissentions?
>>>>
>>>> Cheers,
>>>> David
>
--
********************************************
* Dr Alessandra Forti *
* Technical Coordinator - NorthGrid Tier2 *
* http://www.hep.man.ac.uk/u/aforti *
********************************************
|