On Mon, Feb 07, 2005 at 05:53:40PM -0000 or thereabouts, Kostas Georgiou wrote:
> On Mon, Feb 07, 2005 at 03:16:21PM -0000, Burke, S (Stephen) wrote:
>
> > In any case, as Mike said, all you can get from a WN is a restricted
> > proxy which doesn't let you submit jobs. Full proxies are stored on RBs,
> > myproxies and UIs. The first two are normally standalone machines, a UI
> > would probably be the easiest to hack but it would still need someone to
> > get access as root.
>
> The restricted proxy allows you to copy files around though right ?
> For the UI you only need access as the user that sumbited the job. In that
> regard have a look at my last weeks message about rfiod.
Kostas
The rfiod on the UI is clearly a stupid thing that should not happen,
I generally would reccomend not to run rfiod anywhere that. Also for the
same reason as above it is always recomended that you don't run say
a gridftp on a UI where your DN maps on your local account since stealing
your key and cert in then trivial.
We are assuming the keys have at least some level of encryption though.
It is pretty much the same as `ssh -A` though that by default has no time
limitation. You have to trust the sysadmins where your jobs run. The advantage
of GSI of course in the time limited factor and the fact that you can
revoke a certificate centrally. This all meens you can trust the admins
slightly less since you can always stop all proxies you have out there dead.
Steve
p.s. And you were completly correct about /etc/cron.allow. Not sure where
I had got that at.allow was enough.
>
> Cheers,
> Kostas
--
Steve Traylen
[log in to unmask]
http://www.gridpp.ac.uk/
|