 |
 |
BTW: here it is working with each of those settings at our site. [pilatl01@r21-n01 ~]$ ls -lrt /etc/glexec.conf; /usr/sbin/glexec /usr/bin/id -rw------- 1 glexec root 1190 Nov 29 15:13 /etc/glexec.conf uid=24655(dteam156) gid=2028(dteam) groups=2028(dteam) [pilatl01@r21-n01 ~]$ ls -lrt /etc/glexec.conf; /usr/sbin/glexec /usr/bin/id -rw-r----- 1 root glexec 1190 Nov 29 15:13 /etc/glexec.conf uid=24655(dteam156) gid=2028(dteam) groups=2028(dteam) [pilatl01@r21-n01 ~]$ ls -lrt /etc/glexec.conf; /usr/sbin/glexec /usr/bin/id -rw-r--r-- 1 glexec root 1190 Nov 29 15:13 /etc/glexec.conf uid=24655(dteam156) gid=2028(dteam) groups=2028(dteam) So it looks like it works with any of these settings you use! Go figure... Ste On 11/05/17 16:00, Stephen Jones wrote: > Hi Winnie, > > > On 11/05/17 14:27, Winnie Lacesso wrote: > >> So on a test WN w/glexec-wn installed, again the wretched q of >> ownership + permissions. As installed: >> -rw------- 1 glexec root 1768 Feb 28 2014 /etc/glexec.conf >> >> But our version on working WN: >> -rw-r----- 1 root glexec 1055 May 4 2014 /etc/glexec.conf >> >> I forget exactly how it ended up with reversed owner/group but recall >> there was some pain pain pain & this ended up working (read: passing >> tests). What owner/group & permissions do other sites have? >> >> On some of the newer DICE WN: >> -rw-r--r-- 1 glexec root 941 Apr 4 2016 /etc/glexec.conf >> >> Is world read permission (for this file) dangerous? > > Re: > >> I forget exactly how it ended up with reversed owner/group but recall >> there was some pain pain pain & this ended up working (read: passing >> tests). What owner/group & permissions do other sites have? > > It seems to be important that the glexec user has read access and for > root to have rw. > At our site, it is actually given read access by giving read access to > the glexec > group, of which glexec user is a member, I expect. And root (the > owner) has read and write > access. Here's our setting. > > -rw-r----- 1 root glexec 1190 Nov 29 15:13 /etc/glexec.conf > > But in the setting (as installed???) from your site, the glexec user > actually owns the file (instead of root) and the owner has read access > rights. But root has no access. And you say it did not pass tests, > which is not surprising because it's wrong (I could test it here if > you want, or do it yourself from the command line, see below) So you > tried this: > > -rw-r----- 1 root glexec 1055 May 4 2014 /etc/glexec.conf > > That's the same as our site, so I'm not that surprised it works! > That's how it should be. > > Re: is -rw-r--r--dangerous. > > Passively more dangerous. It gives an attacker information that might > be useful if he were poking about. For example, a job could look at it > and find out what accounts he needs to use. He'd still need a proxy, > though, I think. > > Cheers, > > Ste > > *********** To test if glexec works, with, e.g. ATLAS, this is the > procedure. ************** > > Testing the ARGUS Server and Worker Node with GLXEC > > Be on some UI in your user account. Make a proxy. > > voms-proxy-init --voms dteam > > voms-proxy-info > > Be on test worker node, as root. Copy in the proxy with scp from > location shown in voms-proxy-init to /tmp/x509up_u460 > > On workernode, change ownership of /tmp/x509up_u460 proxy to some > pilot account > > chown pilatl01:atlas /tmp/x509up_u460 > > Change permissions. > > chmod 600 /tmp/x509up_u460 > > Switch to the pilot user. > > su - pilatl01 > > Run these commands to setup for the test. > > export GLEXEC_CLIENT_CERT=/tmp/x509up_u460 > export GLEXEC_SOURCE_PROXY=/tmp/x509up_u460 > export X509_USER_PROXY=/tmp/x509up_u460 > > Do the test > > /usr/sbin/glexec /usr/bin/id > > If all is well, you will see something like this: > > uid=24683(dteam184) gid=2028(dteam) groups=2028(dteam) > > It means glexec switched user for you, which is what iot is for. > > If you don't see that, something is wrong. Check the ARGUS policies if > it says "Not Applicable". > -- Steve Jones [log in to unmask] Grid System Administrator office: 220 High Energy Physics Division tel (int): 43396 Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396 University of Liverpool http://www.liv.ac.uk/physics/hep/