Bug 107 – incomplete ACL checks for routing queues

Bug 107 - incomplete ACL checks for routing queues

Summary:

incomplete ACL checks for routing queues

Status:	NEW

Product:	TORQUE
Component:	pbs_server
Version:	2.5.x
Platform:	PC Linux

Importance:	P5 enhancement
Assigned To:	Glen

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2010-12-23 03:05 MST by thzeiser
Modified:	2010-12-23 03:05 MST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description thzeiser 2010-12-23 03:05:40 MST

The function svr_chkque() in server/svr_jobfunc.c does not execute all ACL
checks for routing queues; in particular the group ACL is only checked for
execution queues:
   * 1. If the queue is an Execution queue ...
      /* 1f. if enabled, check the queue's group ACL */

Thus, routing queues can only be restricted on the basis of *user* ACLs as user
ACLs are checked later as "5. if enabled, check the queue's user ACL" for any
queue type. 

To enable group ACLs (and acl_logic_or=true) also for routing queues, the check
"1f. if enabled, check the queue's group ACL" probably should be done for any
queue type. "5.5. if failed user and group acls, fail" also only makes sense if
"1f" is executed for any queue type (because otherwise failed_group_acl cannot
be set for any non-execution queue)