[GE users] Any reason not to have all user's workstations as submit hosts?

reuti reuti at staff.uni-marburg.de
Mon Apr 12 18:38:11 BST 2010


Am 12.04.2010 um 19:28 schrieb hawson:

> On Mon, Apr 12, 2010 at 01:23:43PM -0400, reuti wrote:
>> Am 12.04.2010 um 19:18 schrieb bdbaddog:
>> 
>>> Reuti,
>>> 
>>> On Mon, Apr 12, 2010 at 9:05 AM, reuti <reuti at staff.uni-marburg.de> wrote:
>>>> Am 12.04.2010 um 12:35 schrieb rumpelkeks:
>>>> 
>>>>> Well, we've got a lot of things - certainly /home - on a central file
>>>> 
>>>> I would be concerned that someone uses local root access to gain access to other users files and credentials.
>>> 
>>> That's how most large deployments are done.
>>> (I've been at companies with up to 5k employees done this way, and
>>> even allowed mounting home dir's over the WAN, which was slow of
>>> course, but functional)
>>> All workstations use automount to mount /home's from various fileservers.
>>> There's also a noroot option on mount which won't let root access or
>>> is it just write/modify non local filesystems.
>> 
>> But when a user has local root access, he could create a local user for the one he want to access on the cluster - just use the right ID. Are there more protections to avoid this?
> 
> Why would a normal user have root on their workstation?  Furthermore,

init=/bin/sh

on the boot prompt, hence any boot loader must be configured have no wait time to avoid any custom options.


> they should prevent from getting it as well via other means, such as
> booting off a CD or USB stick.

Yes, by a BIOS password.

And if a user uses another machine with a faked MAC and replaces his workstation?

-- Reuti

PS: Okay, my students have local root access anyway to learn to install some things on their own, hence we are happy with one head node as login server.


> -- 
> Jesse Becker
> NHGRI Linux support (Digicon Contractor)
> 
> ------------------------------------------------------
> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253155
> 
> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253157

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list