[Mauiusers] Maui LD_PRELOAD attack
Miguel Ros
miguel.ros at bsc.es
Fri Apr 11 00:58:28 MDT 2008
Hi Paul,
> Maui (and presumably, moab) does not provide user-level authentication, only
> host-level authentication via IP address. The user-based authentication is a
> fig-leaf: the client specifies which user they are and the server believes
> them. There's some effort to provide authenticated clients (a shared
> password), but it is ineffective and actually works against some production
> deployments.
>
> This is in contrast to how torque provides security. From memory, the client
> obtains a token from a suid binary. The suid binary communicates with the
> server to obtain a challenge the server issues. This works with privileged
> ports (<1024), so mandating the suid-bit.
>
Maybe I've misunderstood something, but I think that a similar level of
security
is what provides the Maui patch that I've sent to the list. It adds
user-level
authentication from a suid binary (mauth) that is not compiled by default.
Regards,
Miguel
More information about the mauiusers
mailing list