Comment out host-based security in default config file.


We really want 9.0 to be secure by default, and host-based security isn’t.

  1. Comment out the use security : host_based line in the default condor_config.

  2. Change that metaknob to include Jaime’s “do the old, wrong way” knob (w.r.t. ALLOW_DAEMON and ALLOW_WRITE.)

  3. Write an extensive comment about how that meta-knob was the default in the 8.8 series (and earlier), but we’re doing secure-by-default now, and that if you really want to carry on with an insecure pool, add that line to a file in /etc/condor/config.d.


Jaime Frey
February 25, 2021, 6:22 PM

Code Review

These changes look good.

Todd L Miller
February 25, 2021, 4:37 PM

This failed in BaTLab. Not sure how my previous personal-run testing didn’t notice this, but there will be additional patches until the failure is resolved. I’ll post another comment when that happens.

Time remaining



Todd L Miller