Bugzilla – Bug 84
Security bug on the way checkpoint is being handled
Last modified: 2010-11-01 15:10:03 MDT
You need to log in before you can comment on or make changes to this bug.
Sequence of events: 1) user1 submitted a job with checkpoint enabled 2) user1 qhold it (i.e., checkpoints it), 3) pbs_server will create /var/spool/torque/checkpoint/110760.torque.hpc.muohio.edu.CK/ and then root@compute-node will do scp the checkpoint-context to user1@torque-server:/var/spool/torque/checkpoint/110760.torque.hpc.muohio.edu.CK/ The checkpoint directory right now is being created with 777 without the sticky bit. As a side note, because user1 needs to write into the checkpoint dir (because of the scp command), /var/spool/torque/checkpoint needs to be at least others-executable. This combination allows all other users to replace the user1's checkpoint file under the check point dir. This presents a security risk. A simple patch to job_func.c will fix this, in 2.4.10 source, # diff ./job_func.c ./job_func.c.dist 1119c1119 < if ((mkdir(serverfile, 01777) == -1) && (errno != EEXIST)) --- > if ((mkdir(serverfile, 0777) == -1) && (errno != EEXIST)) Perhaps, other ways to fix it is to create 110760.torque.hpc.muohio.edu.CK with user1 as owner and just 700 the 110760.torque.hpc.muohio.edu.CK directory.
> A simple patch to job_func.c will fix this, in 2.4.10 source, > diff ./job_func.c ./job_func.c.dist Looking for other 777 occurrences, one finds it not only in ./src/server/job_func.c's batch_request if ((mkdir(serverfile, 0777) == -1) && (errno != EEXIST)) but also in: ./src/resmom/requests.c's req_cpyfile if ((mkdir(needdir, 0777) == -1) && (errno != EEXIST)) { log_err(errno, id, "Failed to create jobs checkpoint directory"); and in ./src/resmom/unicos8/mom_start.c's makedir if (mkdir(name, 0777) == -1)
These changes have been checked into the 2.4, 2.5 and trunk branches.