Bugzilla – Bug 84
Security bug on the way checkpoint is being handled
Last modified: 2010-11-01 15:10:03 MDT
You need to
before you can comment on or make changes to this bug.
Sequence of events:
1) user1 submitted a job with checkpoint enabled
2) user1 qhold it (i.e., checkpoints it),
3) pbs_server will create
/var/spool/torque/checkpoint/110760.torque.hpc.muohio.edu.CK/ and then
root@compute-node will do scp the checkpoint-context to
The checkpoint directory right now is being created with 777 without the sticky
bit. As a side note, because user1 needs to write into the checkpoint dir
(because of the scp command), /var/spool/torque/checkpoint needs to be at least
This combination allows all other users to replace the user1's checkpoint file
under the check point dir. This presents a security risk.
A simple patch to job_func.c will fix this, in 2.4.10 source,
# diff ./job_func.c ./job_func.c.dist
< if ((mkdir(serverfile, 01777) == -1) && (errno != EEXIST))
> if ((mkdir(serverfile, 0777) == -1) && (errno != EEXIST))
Perhaps, other ways to fix it is to create 110760.torque.hpc.muohio.edu.CK with
user1 as owner and just 700 the 110760.torque.hpc.muohio.edu.CK directory.
> A simple patch to job_func.c will fix this, in 2.4.10 source,
> diff ./job_func.c ./job_func.c.dist
Looking for other 777 occurrences, one finds it not only in
if ((mkdir(serverfile, 0777) == -1) && (errno != EEXIST))
but also in:
if ((mkdir(needdir, 0777) == -1) && (errno != EEXIST))
log_err(errno, id, "Failed to create jobs checkpoint directory");
if (mkdir(name, 0777) == -1)
These changes have been checked into the 2.4, 2.5 and trunk branches.