[torquedev] root exploit in torque?

Åke Sandgren ake.sandgren at hpc2n.umu.se
Fri Oct 20 16:34:37 MDT 2006


On Fri, 2006-10-20 at 16:17 -0600, Garrick Staples wrote:
> Here is my simple patch that seems to fix the problem, but Ake has been
> studying this longer so I hope to get his confirmation.
> 
> Anyone else have any comments for this patch?
> 
> 
> Index: src/resmom/start_exec.c
> ===================================================================
> --- src/resmom/start_exec.c     (revision 1053)
> +++ src/resmom/start_exec.c     (working copy)
> @@ -678,7 +678,7 @@
>    int i;
>    int file_out = -2;
>    int file_err = -2;
> -  int filemode = O_CREAT | O_WRONLY | O_APPEND;
> +  int filemode = O_CREAT | O_WRONLY | O_APPEND | O_EXCL;
>    
>    /* if std out/err joined (set and != "n"), which file is first */
> 
> Index: src/resmom/requests.c
> ===================================================================
> --- src/resmom/requests.c       (revision 1053)
> +++ src/resmom/requests.c       (working copy)
> @@ -2468,7 +2468,7 @@
> 
>        /* redirect stderr to make error from rcp available to MOM */
> 
> -      if ((fd = open(rcperr,O_RDWR|O_CREAT,0644)) < 0)
> +      if ((fd = open(rcperr,O_RDWR|O_CREAT|O_EXCL,0644)) < 0)
>          {
>          sprintf(log_buffer,"can't open %s, error = %d",
>            rcperr,errno);

Yes, contrary to my beliefs this morning this fixes the immediate
root-exploit.

There are still some slightly more obscure problems that i'm
investigating...

More info to come...

-- 
Ake Sandgren, HPC2N, Umea University, S-90187 Umea, Sweden
Internet: ake at hpc2n.umu.se   Phone: +46 90 7866134 Fax: +46 90 7866126
Mobile: +46 70 7716134 WWW: http://www.hpc2n.umu.se



More information about the torquedev mailing list