[torquedev] Spool permisions check fix for FreeBSD

trasz at pin.if.uz.zgora.pl trasz at pin.if.uz.zgora.pl
Tue Nov 21 06:23:45 MST 2006


On 1120T2250, Garrick Staples wrote:
> On Sun, Nov 19, 2006 at 11:03:44AM +0100, trasz at pin.if.uz.zgora.pl alleged:
> > On 1118T1814, Garrick Staples wrote:
> > > On Sat, Nov 18, 2006 at 03:38:38PM +0100, trasz at pin.if.uz.zgora.pl alleged:
> > > > In FreeBSD, new files are created with group equal to the group of the
> > > > containing directory, not with group of creating process.  Thus, files
> > > > created in /var/spool/torque/spool have group 'wheel', which causes
> > > > pbs_mom to fail with 'pbs_mom: open_std_file, std file exists with
> > > > the wrong group, someone is doing something fishy' message when trying
> > > > to run an OpenMPI job.
> > > 
> > > Why would the group be inherited?  You shouldn't have the group setid
> > > bit on spool set.
> > 
> > On BSD it's always this way, even without setgid set.  From 
> > http://www.freebsd.org/cgi/man.cgi?query=open&apropos=0&sektion=0&manpath=FreeBSD+6.1-RELEASE&format=html
> > 
> > 'When a new file is created it is given the group of the directory which
> > contains it.'
> 
> Come to think of it, if the gid of spools is always 0, doesn't this
> patch just make the gid check worthless on freebsd?

Well, one can still use chgrp(1) to change group of the file, so this
check is not void.  On the other hand...

> Does this reenable the original security problem?

... on the other hand, i'm not sure why it checks GID at all.  Checking
UID seems enough to me.



More information about the torquedev mailing list