I have been requested to seek information out about configuring an installation of ROOT on a US government machine in the United States.
I have done some initial testing and found that I was able to build 5.28.000h and 5.36.34 on our SGI ICE Cluster and our Cray XC30 HPC Cluster
My local security group is concerned about potential client/server use in our Kerberized environment, and asked the following questions:
I would appreciate a response as I have users requesting access to the software.
- Are there any known/published security issues?
This request is for version 5.28, current looks
to be about 6.10.
** Note I was able to build 5.28.000h and 5.36.34 versions.
- It looks like this has client/server capability after all. See here for ROOT setting up a server
and client, and passing an object, apparently without any form of authentication.
https://root.cern.ch/root/htmldoc/guides/users-guide/ROOTUsersGuide.html#networking
Can ROOT objects include scripts or other arbitrary executable
programs or shell commands?
What (if any) authentication does networked ROOT support?
Can the ROOT network capability be turned off in a config file
or maybe ./configure’d --disable’d, or patched out in the ROOT
source code?
It looks like the port is user-specified so firewalls/iptables
would not be able to provide mitigation.
Thanks