Giles:
My 2 cents to your question (note that this list is read by Xgrid
enthusiasts, not security experts). It seems you want to open your
grid to clients (not clear if these clients could also contribute as
agents, or if you would provide the agents).
To submit jobs to a controller, you need to be a client, and to be a
client, you need to know the client password (if one is set). So if
you open the grid to a lot of clients, they will all need to have the
(unique) password. This is the only access provided by Xgrid (outside
of Kerberos, but that means an local network, not a worlwide
Cluster). To provide different levels of access, and have individual
acocunts, you need to add a layer on top of the original Xgrid
system. If you are trying to set up a grid that anybody can submit
too, this is probably what you will have to do. A web interface is
likely to be a good way to go, and maybe using a wrapper around the
command-line to dispatch the command to the controller.
Regarding malware: James' example is probably quite relevant. The web
server recently hacked was giving ssh access to anybody requesting
it, with the creation of a local account, though of course with non-
admin access. This is different, but very similar to giving access to
an agent thru xgrid. One big difference is you don't get a fully
interactive session like with ssh, but you have to decide in advance
what commands you will run and send thru xgrid. Another difference is
the hacker can't choose which agent will receive whatever commands is
sent, but that is not really a problem. The bottom line is: with
local access to the machine, as user 'nobody', it seems likely that a
clever hacker will eventually gain admin access to the agent. It
might take more than 30 minutes.
So, Xgrid won't spread a virus (if such abeast were to exist), but
Xgrid might allow a determined client to gain control of an agent
(and eventually, to all of them). Not that even without gaining
control, the client might gather a lot of info about the agent. See
James Reynolds site for more info.
charles
On Apr 7, 2006, at 2:04 PM, James Reynolds wrote:
I was just wondering if viruses can be spread over an Xgrid cluster,
as this could cause a potential problem with my network.
Short story? As long as you password protect your grid, it is up
to the Xgrid admin to decide what applications run.
Long story:
Xgrid jobs run as the user nobody. That user can do a lot. But
not as much as a non-admin user.
The permissions of the user nobody does not allow installation of
anything that survives a reboot.
However, periodically there are holes discovered in OS X that allow
applications to escalate their permissions, allowing them to
install themselves so they start up at the next reboot or whatnot.
If you run the latest OS version you are protected from all the
published and known exploits.
Sometimes there is a brief period between the time someone outside
of Apple publishes an exploit and Apple patches it. And often
people find holes and tell Apple and those people know of the
exploit when no one else outside of Apple does (this is how that
hack-a-Mac contest server was hacked in 30 minutes--the admin gave
the crackers the ability to run apps, and one of the crackers knew
of an unpublished exploit).
FWIW, there are no Mac OS X viruses (or is the count up to one
now?). There is some malware, but again, it needs to either fool
you into installing it, or it has to take advantage of an exploit
(if there is one).
Also, running Firefox on your computer is as dangerous or more
dangerous than running putting your computer on an Xgrid grid.
People are willing to run Firefox because they trust the Firefox
developers.
Likewise, you don't attach your computers to a grid run by someone
you don't trust. I trust Charles Parnot (he is a real person, I've
met him), so I'm willing to put 400 of my computers on his grid.
So it really depends on how much you trust the grid administrator.
If your grid administrator is the same person who installs software
on your computer, then you already have given him the keys to
install malware and so Xgrid makes no difference.
--
Thanks,
James Reynolds
University of Utah
Student Computing Labs
email@hidden
801-585-9811
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xgrid-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40gmail.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xgrid-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
