Yes, indeed - I tried it like you did, and it worked. I tried it also with the
help of another user (who had his own .globus in the home directory
unchanged), and it also worked... Probably the environment is different for
root, so it did not work the first time I tried.
In my view, this is a serious security flaw, and something has to be done -
the addition of voms attributes must be challenged somehow! Romain, what OSCT
has to say?
Of course, the abuser here would have to rely on the fact that the user has to
create long-lived proxy (grid- or voms- alike). If that is not the case, the
problem is minimized and confined to up to 24 hours. And if the user cannot
create voms-proxy with the lifetime of voms attributes longer than 24 hours,
then he/she would not have much reasons to create the basic proxy part with
longer lifetime...
Best regards, Antun
-----
Antun Balaz
Research Assistant
E-mail: [log in to unmask]
Web: http://scl.phy.bg.ac.yu/
Phone: +381 11 3713152
Fax: +381 11 3162190
Scientific Computing Laboratory
Institute of Physics, Belgrade, Serbia
-----
---------- Original Message -----------
From: Gidon Moont <[log in to unmask]>
To: [log in to unmask]
Sent: Wed, 25 Jul 2007 15:54:38 +0100
Subject: Re: [LCG-ROLLOUT] Expiration time of a proxy before the end of job.
> not sure why you cannot do this... (.globus moved for good measure) -
> no password required with -noregen
>
> cheers
>
> Gidon
>
> [gidon@lx07 ~]$ voms-proxy-init -vomslife 0:00 --voms dteam
> Cannot find file or dir: /home/hep/gidon/.glite/vomses
> Your identity: /C=UK/O=eScience/OU=Imperial/L=Physics/CN=gidon moont
> Enter GRID pass phrase:
> Creating temporary proxy
> ............................................................. Done
> Contacting voms.cern.ch:15004
> [/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch] "dteam" Done Creating
> proxy ....................................................... Done
> Your proxy is valid until Thu Jul 26 03:52:38 2007 [gidon@lx07 ~]$
> voms-proxy-info --all subject :
> /C=UK/O=eScience/OU=Imperial/L=Physics/CN=gidon moont/CN=proxy
> issuer : /C=UK/O=eScience/OU=Imperial/L=Physics/CN=gidon moont
> identity : /C=UK/O=eScience/OU=Imperial/L=Physics/CN=gidon moont
> type : proxy strength : 512 bits path : /tmp/x509up_u53094
> timeleft : 11:59:56
> === VO dteam extension information ===
> VO : dteam
> subject : /C=UK/O=eScience/OU=Imperial/L=Physics/CN=gidon moont
> issuer : /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch
> attribute : /dteam/Role=NULL/Capability=NULL
> timeleft : 0:00:00
> [gidon@lx07 ~]$ mv .globus/ .temp_shifted_globus/
> [gidon@lx07 ~]$ voms-proxy-init -noregen --voms dteam
> Cannot find file or dir: /home/hep/gidon/.glite/vomses
> Your identity: /C=UK/O=eScience/OU=Imperial/L=Physics/CN=gidon moont/CN=proxy
> Contacting voms.cern.ch:15004
> [/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch] "dteam" Done Creating
> proxy ....................................................... Done
>
> Warning: your certificate and proxy will expire Thu Jul 26 03:52:38 2007
> which is within the requested lifetime of the proxy
> [gidon@lx07 ~]$ voms-proxy-info --all
> subject : /C=UK/O=eScience/OU=Imperial/L=Physics/CN=gidon
moont/CN=proxy/CN=proxy
> issuer : /C=UK/O=eScience/OU=Imperial/L=Physics/CN=gidon moont/CN=proxy
> identity : /C=UK/O=eScience/OU=Imperial/L=Physics/CN=gidon moont/CN=proxy
> type : unknown
> strength : 512 bits
> path : /tmp/x509up_u53094
> timeleft : 11:59:43
> === VO dteam extension information ===
> VO : dteam
> subject : /C=UK/O=eScience/OU=Imperial/L=Physics/CN=gidon moont
> issuer : /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch
> attribute : /dteam/Role=NULL/Capability=NULL
> timeleft : 11:59:56
------- End of Original Message -------
|