BTW: here it is working with each of those settings at our site.
[pilatl01@r21-n01 ~]$ ls -lrt /etc/glexec.conf; /usr/sbin/glexec /usr/bin/id
-rw------- 1 glexec root 1190 Nov 29 15:13 /etc/glexec.conf
uid=24655(dteam156) gid=2028(dteam) groups=2028(dteam)
[pilatl01@r21-n01 ~]$ ls -lrt /etc/glexec.conf; /usr/sbin/glexec /usr/bin/id
-rw-r----- 1 root glexec 1190 Nov 29 15:13 /etc/glexec.conf
uid=24655(dteam156) gid=2028(dteam) groups=2028(dteam)
[pilatl01@r21-n01 ~]$ ls -lrt /etc/glexec.conf; /usr/sbin/glexec /usr/bin/id
-rw-r--r-- 1 glexec root 1190 Nov 29 15:13 /etc/glexec.conf
uid=24655(dteam156) gid=2028(dteam) groups=2028(dteam)
So it looks like it works with any of these settings you use! Go figure...
Ste
On 11/05/17 16:00, Stephen Jones wrote:
> Hi Winnie,
>
>
> On 11/05/17 14:27, Winnie Lacesso wrote:
>
>> So on a test WN w/glexec-wn installed, again the wretched q of
>> ownership + permissions. As installed:
>> -rw------- 1 glexec root 1768 Feb 28 2014 /etc/glexec.conf
>>
>> But our version on working WN:
>> -rw-r----- 1 root glexec 1055 May 4 2014 /etc/glexec.conf
>>
>> I forget exactly how it ended up with reversed owner/group but recall
>> there was some pain pain pain & this ended up working (read: passing
>> tests). What owner/group & permissions do other sites have?
>>
>> On some of the newer DICE WN:
>> -rw-r--r-- 1 glexec root 941 Apr 4 2016 /etc/glexec.conf
>>
>> Is world read permission (for this file) dangerous?
>
> Re:
>
>> I forget exactly how it ended up with reversed owner/group but recall
>> there was some pain pain pain & this ended up working (read: passing
>> tests). What owner/group & permissions do other sites have?
>
> It seems to be important that the glexec user has read access and for
> root to have rw.
> At our site, it is actually given read access by giving read access to
> the glexec
> group, of which glexec user is a member, I expect. And root (the
> owner) has read and write
> access. Here's our setting.
>
> -rw-r----- 1 root glexec 1190 Nov 29 15:13 /etc/glexec.conf
>
> But in the setting (as installed???) from your site, the glexec user
> actually owns the file (instead of root) and the owner has read access
> rights. But root has no access. And you say it did not pass tests,
> which is not surprising because it's wrong (I could test it here if
> you want, or do it yourself from the command line, see below) So you
> tried this:
>
> -rw-r----- 1 root glexec 1055 May 4 2014 /etc/glexec.conf
>
> That's the same as our site, so I'm not that surprised it works!
> That's how it should be.
>
> Re: is -rw-r--r--dangerous.
>
> Passively more dangerous. It gives an attacker information that might
> be useful if he were poking about. For example, a job could look at it
> and find out what accounts he needs to use. He'd still need a proxy,
> though, I think.
>
> Cheers,
>
> Ste
>
> *********** To test if glexec works, with, e.g. ATLAS, this is the
> procedure. **************
>
> Testing the ARGUS Server and Worker Node with GLXEC
>
> Be on some UI in your user account. Make a proxy.
>
> voms-proxy-init --voms dteam
>
> voms-proxy-info
>
> Be on test worker node, as root. Copy in the proxy with scp from
> location shown in voms-proxy-init to /tmp/x509up_u460
>
> On workernode, change ownership of /tmp/x509up_u460 proxy to some
> pilot account
>
> chown pilatl01:atlas /tmp/x509up_u460
>
> Change permissions.
>
> chmod 600 /tmp/x509up_u460
>
> Switch to the pilot user.
>
> su - pilatl01
>
> Run these commands to setup for the test.
>
> export GLEXEC_CLIENT_CERT=/tmp/x509up_u460
> export GLEXEC_SOURCE_PROXY=/tmp/x509up_u460
> export X509_USER_PROXY=/tmp/x509up_u460
>
> Do the test
>
> /usr/sbin/glexec /usr/bin/id
>
> If all is well, you will see something like this:
>
> uid=24683(dteam184) gid=2028(dteam) groups=2028(dteam)
>
> It means glexec switched user for you, which is what iot is for.
>
> If you don't see that, something is wrong. Check the ARGUS policies if
> it says "Not Applicable".
>
--
Steve Jones [log in to unmask]
Grid System Administrator office: 220
High Energy Physics Division tel (int): 43396
Oliver Lodge Laboratory tel (ext): +44 (0)151 794 3396
University of Liverpool http://www.liv.ac.uk/physics/hep/
|