Hello!
On 17.05.12 18:51, Rayson Ho wrote:
> Just want to understand your use case, what is the main reason you use
> the CSP mode??
Security. The queuemaster fully trusts the username sent by the client
binaries over the wire. You even have not to reverse engineer the
somewhat ugly protocol spoken by the Grid Engine - a simple LD_PRELOAD
with an override of getuid() and getgid() is enough to run jobs under
the ownership of a different user (even root). It tooks me about an hour
to exploit a Grid Engine and I'm a quite bad "hacker". Assuming you have
a cluster where more then a hand full of fully trusted people are
working, you need to use CSP.
Everything is better then the standard "security" used in Grid Engine.
Even port based authentication in NFS and RSH offers more security.
On 16.05.12 17:09, Prentice Bisbal wrote:
> I dealt with this problem by generating new certificates, but then
> this problem showed up again about 6 months later, so I generated new
> certificates again.
That's standard in the X.509 world. Your certificates have expiry dates
and you have to renew them before they expire. The standard in the Grid
Engine scripts is 6 months. You may expand this value, but sooner or
later you will run into the same troubles.
There are different approaches. Like good old "ident", where the server
(in this case the queuemaster) asks the client for the username which
initiated the connection. There are even better solutions like MUNGE [1]
used by SLURM, based on cryptographic hashes. Finally there was a
solution in the Grid Engine 5.x times where the client binaries were
installed SUID root and connected from a privileged port - the way rsh
works. Sadly this support was dropped in the 6.x line in favor of CSP.
[1] http://munge.googlecode.com/
CSP is probably a far too complex solution for the problem. But it's the
only available one at the moment. The other option - security by
obscurity - isn't a good one but usually accepted as CSP is too complex
to be installed and maintained.
Beat
--
\|/ Beat Rubischon <[email protected]>
( 0-0 ) http://www.0x1b.ch/~beat/
oOO--(_)--OOo---------------------------------------------------
Meine Erlebnisse, Gedanken und Traeume: http://www.0x1b.ch/blog/
_______________________________________________
users mailing list
[email protected]
https://gridengine.org/mailman/listinfo/users
