Actually the worker nodes have running cronjobs so not only it is not
disabled but it used.
cheers
alessandra
On Mon, 7 Feb 2005, Burke, S (Stephen) wrote:
> Testbed Support for GridPP member institutes
>> [mailto:[log in to unmask]] On Behalf Of Kostas Georgiou said:
>> It's pretty easy in the worker nodes to add an ssh key or a cron job
>> that will collect proxies from the pool account once it gets reused.
>
> It *shouldn't* be easy, or indeed possible, cron should be disabled and
> pool accounts should be wiped when they get recycled. Do you have
> evidence that it actually is possible? I raised this as a security issue
> about a year ago, but I don't know if any action was taken to ensure
> that sites are secure in that regard; maybe Dave Kelsey can comment if
> he's reading this ...
>
> In any case, as Mike said, all you can get from a WN is a restricted
> proxy which doesn't let you submit jobs. Full proxies are stored on RBs,
> myproxies and UIs. The first two are normally standalone machines, a UI
> would probably be the easiest to hack but it would still need someone to
> get access as root. In the future a VOMS server will also be a big
> target for hackers.
>
>> Also lets not forget all the people with root access in the machines
>> involved probably more than a few dozen even if it's unlikely that
>> they will do something it's one more vector that you need to consider.
>
> Maybe we should start doing positive vetting for sysadmins :) However,
> in practice admins already have a lot of scope to cause damage, but I'm
> not aware that it has actually been an issue, after all it would end
> someone's career if/when they got caught. In a court it's possibly true
> that someone could point to access by admins to create reasonable doubt,
> but in more informal situations admins are likely to be regarded as
> trustworthy unless there's evidence to the contrary. Also I doubt that
> it's as many as a few dozen, for example if I submit a job from the RAL
> UI to the RAL RB it would only be RAL admins who would have access; I
> don't know how many there are but I'd guess that it's less than a few
> dozen.
>
> Stephen
>
--
********************************************
* Dr Alessandra Forti *
* Technical Coordinator - NorthGrid Tier2 *
* http://www.hep.man.ac.uk/u/aforti *
********************************************
|