[GE users] Any reason not to have all user's workstations as submit hosts?

prentice prentice at ias.edu
Wed Apr 14 16:21:23 BST 2010


hawson wrote:
> On Mon, Apr 12, 2010 at 01:23:43PM -0400, reuti wrote:
>> Am 12.04.2010 um 19:18 schrieb bdbaddog:
>>
>>> Reuti,
>>>
>>> On Mon, Apr 12, 2010 at 9:05 AM, reuti <reuti at staff.uni-marburg.de> wrote:
>>>> Am 12.04.2010 um 12:35 schrieb rumpelkeks:
>>>>
>>>>> Well, we've got a lot of things - certainly /home - on a central file
>>>> I would be concerned that someone uses local root access to gain access to other users files and credentials.
>>> That's how most large deployments are done.
>>> (I've been at companies with up to 5k employees done this way, and
>>> even allowed mounting home dir's over the WAN, which was slow of
>>> course, but functional)
>>> All workstations use automount to mount /home's from various fileservers.
>>> There's also a noroot option on mount which won't let root access or
>>> is it just write/modify non local filesystems.
>> But when a user has local root access, he could create a local user for the one he want to access on the cluster - just use the right ID. Are there more protections to avoid this?
> 
> Why would a normal user have root on their workstation?  Furthermore,
> they should prevent from getting it as well via other means, such as
> booting off a CD or USB stick.
> 

Who said the user was normal? It could be a hacker trying to get on the
network from outside the building (wi-fi) from a box he already has root
on, or doing the same from inside the company by attaching a computer
not administered by the company to the network (an official visitor with
a laptop just "checking e-mail" for example), or a malicious employee
who uses a hack to elevate his privilege on a box for deviant purposes.

In all these cases, removing alternate boot methods is irrelevant.

-- 
Prentice

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253393

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list