Hi Gidon,
This doesn't seem to work for me (see below for more details). While as the
original user I can successfully turn my grid-proxy into voms-proxy, I am not
able to do this as e.g. root user (simulation of the abuser who stole my
grid-proxy). I think that without the content of .globus, what you describe is
not possible...
Best regards, Antun
First step: verify that as a regular user I can turn my grid-proxy into
voms-proxy using -noregen option:
[antun@ce antun]$ grid-proxy-init
Your identity: /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz
Enter GRID pass phrase for this identity:
Creating proxy ............................................... Done
Your proxy is valid until: Thu Jul 26 04:39:54 2007
[antun@ce antun]$ voms-proxy-info -all
WARNING: Unable to verify signature! Server certificate possibly not installed.
Error: VOMS extension not found!
subject : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz/CN=proxy
issuer : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz
identity : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz
type : proxy
strength : 512 bits
path : /tmp/x509up_u29921
timeleft : 11:59:42
[antun@ce antun]$
[antun@ce antun]$ voms-proxy-init -noregen -voms dteam
Your identity: /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun
Balaz/CN=proxy
Cannot find file or dir: /home/antun/.glite/vomses
Contacting lcg-voms.cern.ch:15004
[/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch] "dteam" Done
Creating proxy .......................................... Done
Warning: your certificate and proxy will expire Thu Jul 26 04:39:54 2007
which is within the requested lifetime of the proxy
[antun@ce antun]$ voms-proxy-info -all
subject : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun
Balaz/CN=proxy/CN=proxy
issuer : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz/CN=proxy
identity : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz/CN=proxy
type : unknown
strength : 512 bits
path : /tmp/x509up_u29921
timeleft : 11:59:20
=== VO dteam extension information ===
VO : dteam
subject : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz
issuer : /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch
attribute : /dteam/Role=NULL/Capability=NULL
attribute : /dteam/see/Role=NULL/Capability=NULL
attribute : /dteam/see/YU/Role=NULL/Capability=NULL
attribute : /dteam/see/YU/AEGIS01-PHY-SCL/Role=NULL/Capability=NULL
timeleft : 11:59:57
[antun@ce antun]$
So, everything worked. And now the second step: as a root, I copy the newly
created grid-proxy to some file, export X509_USER_PROXY to point to it, and
try to add voms-attributes:
[antun@ce antun]$ grid-proxy-init
Your identity: /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz
Enter GRID pass phrase for this identity:
Creating proxy ...................................... Done
Your proxy is valid until: Thu Jul 26 04:47:30 2007
[antun@ce antun]$ voms-proxy-info -all
WARNING: Unable to verify signature! Server certificate possibly not installed.
Error: VOMS extension not found!
subject : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz/CN=proxy
issuer : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz
identity : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz
type : proxy
strength : 512 bits
path : /tmp/x509up_u29921
timeleft : 11:59:56
[antun@ce antun]$ exit
logout
[root@ce root]# cp /tmp/x509up_u29921 /tmp/aaa
[root@ce root]# voms-proxy-info -all
WARNING: Unable to verify signature! Server certificate possibly not installed.
Error: VOMS extension not found!
subject : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz/CN=proxy
issuer : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz
identity : /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun Balaz
type : proxy
strength : 512 bits
path : /tmp/aaa
timeleft : 11:59:30
[root@ce root]# voms-proxy-init -noregen -voms dteam
Your identity: /C=RS/O=AEGIS/OU=Institute of Physics Belgrade/CN=Antun
Balaz/CN=proxy
Cannot find file or dir: /root/.glite/vomses
Contacting voms.cern.ch:15004 [/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch]
"dteam" Failed
Error: dteam: User unknown to this VO.
Trying next server for dteam.
Contacting lcg-voms.cern.ch:15004
[/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch] "dteam" Failed
Error: dteam: User unknown to this VO.
None of the contacted servers for dteam were capable
of returning a valid AC for the user.
-----
Antun Balaz
Research Assistant
E-mail: [log in to unmask]
Web: http://scl.phy.bg.ac.yu/
Phone: +381 11 3713152
Fax: +381 11 3162190
Scientific Computing Laboratory
Institute of Physics, Belgrade, Serbia
-----
---------- Original Message -----------
From: Gidon Moont <[log in to unmask]>
To: [log in to unmask]
Sent: Wed, 25 Jul 2007 15:33:02 +0100
Subject: Re: [LCG-ROLLOUT] Expiration time of a proxy before the end of job.
> But, with a given valid proxy (voms AC added or not), I can ask for
> a new VOMS AC (no password needed) and chain the proxy...
>
> So, unless the VO(s) of the user threw the person off their system,
> a proxy can always become "voms" again...
>
> Cheers
>
> Gidon
>
> On Wed, 25 Jul 2007, Antun Balaz wrote:
>
> > Hi Kostas,
> >
> > Surely you are right - the basic proxy (grid-proxy part) will still be valid
> > for any period user decided to create it for, and just the voms attributes
> > will expire after 24 hours due to the limitations of the VOMS server that
> > should be in place. In fact, lifetimes of the underlying proxy and its voms
> > attributes can be set separately (using -valid and -vomslife switches).
> >
> > In practice, where still authorization for many things depends on classical
> > static (non-VOMS enabled) grid-mapfile, this means that the potential abuser
> > would not have any problems utilizing the voms-proxy with voms attributes
> > expired (basically, using it as a grid-proxy). Of course, if a person is a
> > member of two or more VOs, just one VO could be used by the abuser (and it
> > would depend on the local mapping, which can vary from site to site). However,
> > orientation towards VOMS-enabled services should prevent this in the future -
> > when authorization on all Grid services is made VOMS-enabled, possible
> > problems would disappear.
> >
> > So, currently, although voms-proxies with expired voms attributes still can be
> > abused, in no way VOs should be encouraged to extend allowed voms lifetimes.
> > This would again develop bad habits which slowly just started to change...
> >
> > Best regards, Antun
> >
> > -----
> > Antun Balaz
> > Research Assistant
> > E-mail: [log in to unmask]
> > Web: http://scl.phy.bg.ac.yu/
> >
> > Phone: +381 11 3713152
> > Fax: +381 11 3162190
> >
> > Scientific Computing Laboratory
> > Institute of Physics, Belgrade, Serbia
> > -----
> >
> > ---------- Original Message -----------
> > From: Kostas Georgiou <[log in to unmask]>
> > To: [log in to unmask]
> > Sent: Wed, 25 Jul 2007 15:03:12 +0100
> > Subject: Re: [LCG-ROLLOUT] Expiration time of a proxy before the end of job.
> >
> > > On Tue, Jul 24, 2007 at 07:01:18PM +0200, Antun Balaz wrote:
> > >
> > > > Hi to all,
> > > >
> > > > This is certainly not a way to go! In order to increase the allowed
lifetime
> > > > of a VOMS proxy for EGEE VOs, the permission must be asked from Joint
Security
> > > > Policy Group (JSPG), since this is clearly related with the security
issues
> > > > (voms-proxies can be subjects of abuse; the longer their lifetime, the
longer
> > > > possible abuse).
> > >
> > > I am probably missing something since I haven't looked clearly at
> > > VOMS but AFAIK the VOMS servers just adds an attribute to the user
> > > proxy. It is that attribute that expires and not the proxy. Since
> > > the attribute is only there to say "this proxy (if still valid) has
> > > X role" I can not really see how it can be abused beyond the delay
> > > that'll you get when a role is removed from a user. Surely what is
> > > important is the proxy
> > > (which can still have any lifetime) and not the attribute. What
> > > abuse scenarios do you have in mind? Maybe I am missing something somewhere.
> > >
> > > Cheers,
> > > Kostas
> > ------- End of Original Message -------
> >
>
> --------------------------------------------------
>
> Dr. Gidon Moont
> High Energy Physics Group, The Blackett Laboratory
> Imperial College London, South Kensington Campus
> Prince Consort Road, LONDON SW7 2BW
> Tel: +44 (0)207 594 7810
> http://gridportal.hep.ph.ic.ac.uk/
------- End of Original Message -------
|