1 / 18

Privilege Separation in Condor

Learn about the principle of least privilege in Condor and how it is implemented through the PrivSep Kernel, Switchboard, and ProcD. Discover the goals, operations, and implementation of PrivSep in Condor.

knowlton
Download Presentation

Privilege Separation in Condor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privilege Separation in Condor

  2. Principle of Least Privilege • “Every program and every user of the system should operate using the least set of privileges necessary to complete the job.” • Saltzer and Schroeder, 1975

  3. condor user root user User IDs in Condor • An unprivileged account for Condor’s files and processes • Unprivileged accounts for regular users who submit jobs to Condor • The machine-wide superuser

  4. condor user root user Un-Separated Condor Condor Daemon Files Processes

  5. PrivSep: Goals • Reduce the part of Condor that runs with superuser privileges to a small “PrivSep Kernel” • Restrict actions that Condor can perform via the PrivSep Kernel to a reasonable minimum for Condor’s operation

  6. PrivSep Kernel Condor Daemon PrivSep Kernel checks if requested operation is authorized PrivSep Kernel

  7. PrivSep Kernel Operations • File Operations • Change ownership of a directory tree • Delete a directory tree • Perform an open or rename operation as a regular user • Process Operations • Execute program as a regular user • Signal a process • Suspend, continue, or kill a process family • Get process family usage info

  8. PrivSep Kernel Implementation • Switchboard • Supports the file system operations and ability to create processes as regular users • ProcD • Support the rest of the process operations

  9. Implementation: The PrivSep Switchboard • root-owned setuid binary • Configured to allow a single account (condor) to use its operations • Limits on what actions it will perform are defined in a root-owned configuration file

  10. Switchboard: rm -rf StartD “remove the directory tree at /condor/execute/dir_1234” “dir_1234 is in a Condor-managed directory, so I’ll go ahead” Switchboard

  11. Switchboard: Open as User SchedD “open file X as user gquinn” Switchboard

  12. Implementation: The ProcD • Tracks the “family tree” of the Condor Master • Allows Condor to signal and gather accounting data for processes under its control • Runs as root (it’s part of the PrivSep Kernel) • Like the Switchboard, only accepts commands from the condor user account

  13. Implementation: The ProcD Master ProcD “send a SIGTERM to Job B” StartD Starter Starter SIGTERM Job A Job B

  14. Execute Side Master • PrivSep Kernel provides everything needed for full privilege separation • File transfer is accomplished by changing the ownership of the job’s sandbox to the condor user temporarily ProcD StartD Switch- board Starter

  15. Submit Side Master • Cannot take care of file transfer via chown • File transfer logic needs to be executed in a separate, user-owned process (the TransferD) ProcD SchedD Switch- board Shadow

  16. The TransferD SchedD sends data to the execute side TransferD Shadow

  17. Current Status • PrivSep Kernel is implemented completely on UNIX, ProcD-only on Windows • Execute-side has been modified to use the PrivSep Kernel, and can now run as an unprivileged user • TransferD implementation is complete • Submit-side integration with PrivSep Kernel and TransferD yet to come

  18. Questions?

More Related