[Mauiusers] Maui LD_PRELOAD attack

Miguel Ros miguel.ros at bsc.es
Fri Apr 11 00:58:28 MDT 2008


Hi Paul,
> Maui (and presumably, moab) does not provide user-level authentication, only 
> host-level authentication via IP address.  The user-based authentication is a 
> fig-leaf: the client specifies which user they are and the server believes 
> them.  There's some effort to provide authenticated clients (a shared 
> password), but it is ineffective and actually works against some production 
> deployments.
>   
> This is in contrast to how torque provides security.  From memory, the client 
> obtains a token from a suid binary.  The suid binary communicates with the 
> server to obtain a challenge the server issues.  This works with privileged 
> ports (<1024), so mandating the suid-bit.
>   
Maybe I've misunderstood something, but I think that a similar level of
security
is what provides the Maui patch that I've sent to the list. It adds
user-level
authentication from a suid binary (mauth) that is not compiled by default.

Regards,
Miguel


More information about the mauiusers mailing list