Hi Winnie,
On 11/05/17 14:27, Winnie Lacesso wrote:
> So on a test WN w/glexec-wn installed, again the wretched q of ownership + permissions. As installed:
> -rw------- 1 glexec root 1768 Feb 28 2014 /etc/glexec.conf
>
> But our version on working WN:
> -rw-r----- 1 root glexec 1055 May 4 2014 /etc/glexec.conf
>
> I forget exactly how it ended up with reversed owner/group but recall
> there was some pain pain pain & this ended up working (read: passing
> tests). What owner/group & permissions do other sites have?
>
> On some of the newer DICE WN:
> -rw-r--r-- 1 glexec root 941 Apr 4 2016 /etc/glexec.conf
>
> Is world read permission (for this file) dangerous?
Re:
> I forget exactly how it ended up with reversed owner/group but recall
> there was some pain pain pain & this ended up working (read: passing
> tests). What owner/group & permissions do other sites have?
It seems to be important that the glexec user has read access and for root to have rw.
At our site, it is actually given read access by giving read access to the glexec
group, of which glexec user is a member, I expect. And root (the owner) has read and write
access. Here's our setting.
-rw-r----- 1 root glexec 1190 Nov 29 15:13 /etc/glexec.conf
But in the setting (as installed???) from your site, the glexec user
actually owns the file (instead of root) and the owner has read access
rights. But root has no access. And you say it did not pass tests,
which is not surprising because it's wrong (I could test it here if you
want, or do it yourself from the command line, see below) So you tried this:
-rw-r----- 1 root glexec 1055 May 4 2014 /etc/glexec.conf
That's the same as our site, so I'm not that surprised it works! That's how it should be.
Re: is -rw-r--r--dangerous.
Passively more dangerous. It gives an attacker information that might be
useful if he were poking about. For example, a job could look at it and
find out what accounts he needs to use. He'd still need a proxy, though,
I think.
Cheers,
Ste
*********** To test if glexec works, with, e.g. ATLAS, this is the
procedure. **************
Testing the ARGUS Server and Worker Node with GLXEC
Be on some UI in your user account. Make a proxy.
voms-proxy-init --voms dteam
voms-proxy-info
Be on test worker node, as root. Copy in the proxy with scp from
location shown in voms-proxy-init to /tmp/x509up_u460
On workernode, change ownership of /tmp/x509up_u460 proxy to some pilot
account
chown pilatl01:atlas /tmp/x509up_u460
Change permissions.
chmod 600 /tmp/x509up_u460
Switch to the pilot user.
su - pilatl01
Run these commands to setup for the test.
export GLEXEC_CLIENT_CERT=/tmp/x509up_u460
export GLEXEC_SOURCE_PROXY=/tmp/x509up_u460
export X509_USER_PROXY=/tmp/x509up_u460
Do the test
/usr/sbin/glexec /usr/bin/id
If all is well, you will see something like this:
uid=24683(dteam184) gid=2028(dteam) groups=2028(dteam)
It means glexec switched user for you, which is what iot is for.
If you don't see that, something is wrong. Check the ARGUS policies if
it says "Not Applicable".
--
Steve Jones [log in to unmask]
Grid System Administrator office: 220
High Energy Physics Division tel (int): 43396
Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396
University of Liverpool http://www.liv.ac.uk/physics/hep/
|