[GE users] reserved ports in SGE 6.0

Bill Rankin wrankin at ee.duke.edu
Tue Nov 23 19:46:23 GMT 2004


On Tue, 2004-11-23 at 11:18, Andy Schwierskott wrote:
> Sean,
> 
> >> if you don't have a secure filesystem (like AFS) of course it means your
> >> certificates needs to be on a local filesystem to have the full security
> >> needs addressed.
> >
> > Lets suppose that the cluster has a physically secure LAN (such as I
> > have).  Someone putting a rogue machine on the network becomes less of a
> > concern (and that's the main disadvantage I see of reserved ports).  At
> > that point the only way for someone to break the security is for them to
> > gain root privileges on a machine.  However, even with AFS, all someone
> > has to do is become root, wait for you to login, then a few environment
> > variable changes and they have access to all your files in AFS.  As
> > such, I'm not sure that AFS with CSP is any more secure than reserved
> > ports, in what I consider to be the common case of having a physically
> > secure LAN.
> 
> I think I'm not getting the point - in AFS it doesn't help you to be root I
> think - with the special AFS login binary user root cannot simply login as a
> norm user and get access to the user's home directory. Same would be with
> DCE.

I believe that Sean is referring to something along the lines of a "Man
in the Middle" security attack, which is fairly trivial if you have a
compromised root on a machine other users log into.

-bill



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list