[torquedev] [Bug 211] pbs_sched does not read TRQ_IFNAME

bugzilla-daemon at supercluster.org bugzilla-daemon at supercluster.org
Wed Aug 22 13:18:21 MDT 2012


http://www.clusterresources.com/bugzilla/show_bug.cgi?id=211

--- Comment #13 from Michael Jennings <mej at lbl.gov> 2012-08-22 13:18:21 MDT ---
(In reply to comment #12)
> > the short answer is that you never want
> > private services listening publicly.  It's an unnecessary risk.
> 
> Sure, of cause I agree (and secure people will agree as well) that this is a
> bad practice in general. 
> 
> But:
> 
> 1. On computing clusters usually all ports (except several) are closed for
> external interfaces.

Closed by what?  By definition, the ports aren't closed if there's something
listening on them.

And if you're referring to a firewall...well, they fail.  :-)

> 2. PBS Pro pbs_sched and pbs_mom listen to any (ok, lets suppose for now there
> are no security people in PBS Pro team).

Note the word "private" in my previous comment.  pbs_mom is not a private
service.  In TORQUE, pbs_sched is.  Maybe it's not in PBSPro; I have no idea. 
The two diverged a long time ago, and just because they share an ancestry
doesn't mean one can make assumptions about commonalities of current behavior. 
If one could, we'd all be climbing trees and slinging poo like the other
primates.  ;-)

> 3. TORQUE pbs_server listens to any:
> tcp  0      0 0.0.0.0:15001     0.0.0.0:*    LISTEN   3682/pbs_server 

See above.  pbs_server needs to listen to other hosts.  pbs_sched doesn't
AFAIK.

> Could you, please, explain if you follow the rule "do not listen to any" then
> why TORQUE pbs_server does not follow this rule as well?

See above.  :-)

As with most products, the defaults are configured for the general case.  They
won't cover every possible use case for every possible user.  For the majority
of users, pbs_sched listening on localhost only is the correct choice.  Same
for trqauthd.  Sure, they could default to listening on 0.0.0.0, but that would
violate the Principle of Least Privilege (see
https://developer.apple.com/library/mac/#documentation/Security/Conceptual/Security_Overview/SecuritySvcs/SecuritySvcs.html#//apple_ref/doc/uid/TP40002650-SW4
for more).

-- 
Configure bugmail: http://www.clusterresources.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the torquedev mailing list