[Users] [Carpet] checkpoint at run-time request

Steve White steve.white at aei.mpg.de
Mon Oct 30 08:43:41 CST 2006 

Erik,

I didn't finish my overhaul of the thorn.  (My understanding is, a student
will be assigned to it any moment now.)

The corrections I made were mostly in the HTML generation code.
I don't think I did much work on the file in question.

As to the code Frank points out in Authorisaton.c, yes that is a bug.

As to a security audit or something: never mind that.  The whole thing
is little more than a proof-of-concept; it was never intended to be secure
in any sense.

A good solution would be to run this interface through some secure
channel, which would check user's credentials and encrypt everything. 
This shouldn't be hard; maybe the D-Grid guys are working on
something like that. (?)

Cheers!


On 30.10.06, Erik Schnetter wrote:
> On Oct 30, 2006, at 14:01:53, Frank Loeffler wrote:
> 
> >Hi,
> >
> >>On Oct 18, 2006, at 09:15:59, Bela Szilagyi wrote:
> >>>I know there is the web-interface
> >>>option of
> >>>steering parameters, but I never trusted that enough to try...
> >
> >>>More generically, it would be quite useful to have a simple,   
> >>>usable, and
> >>>trustworthy way of modifying parameters of a run, while it's
> >>>running.
> >
> >Erik Schnetter wrote:
> >>Cactus has a web server thorn.
> >
> >I think this is what Bela meant by 'web interface' and what is somehow
> >connected to 'insecure' in my mind - without reasons to directly  
> >put my
> >finger on at the moment. Does someone already did a security audit  
> >on this?
> 
> Steve White looked at the code extensively a while ago; he corrected  
> all the string manipulations.  Your finding is probably a leftover  
> oversight, a missing check for an error condition.
> 
> The routines that display images, grid functions, or parameters are  
> insecure if the web server runs multi-threaded (which it should),  
> since then the web server follows pointers which may vanish at any  
> time.  The parameter steering, however, seems secure, since the  
> steering requests are batched up until a specific point in time in  
> the evolution.
> 
> -erik
> 
> -- 
> Erik Schnetter <schnetter at cct.lsu.edu>
> 
> My email is as private as my paper mail.  I therefore support encrypting
> and signing email messages.  Get my PGP key from www.keyserver.net.
> 
> 
> 



> _______________________________________________
> Users mailing list
> Users at cactuscode.org
> http://www.cactuscode.org/mailman/listinfo/users


-- 
Steve White : Programmer
Max-Planck-Institut für Gravitationsphysik      Albert-Einstein-Institut
Am Mühlenberg 1, D-14476 Golm, Germany                  +49-331-567-7625

More information about the Users mailing list