[torquedev] patch: gssapi: check permissions on server_priv/creds/
garrick at clusterresources.com
Sun Feb 25 18:29:24 MST 2007
On Sun, Feb 25, 2007 at 11:55:43PM +0100, Sergio Gelato alleged:
> I've now started modifying (hopefully improving) the GSSAPI code. I'll
> submit patches as they mature. Here is a simple one to create the
> server_priv/creds directory (where credentials are cached for jobs
> in the queue) with the right permissions, and chk_file_sec() accordingly.
> The changes to src/lib/Liblog/chk_file_sec.c and src/tools/chk_tree.c
> may be worth applying to the trunk right away. Those to
> buildutils/pbs_mkdirs.in and src/server/pbsd_init.c, on the other hand,
> are specific to the gssapi branch.
I've patched trunk and gssapi branch as suggested.
> + @INCLUDE_GSSAPI_TRUE@ chk_tree_wrap -d -n -u 077 $PBS_SERVER_HOME/server/priv/creds || return 1
> + @INCLUDE_GSSAPI_TRUE@ chk_tree_wrap -d -u 077 $PBS_SERVER_HOME/server/priv/creds || return 1
Btw, should have been "server_priv/creds".
> diff -urNad torque-2.1.99+r1247/src/lib/Liblog/chk_file_sec.c /tmp/dpep.gFzfbd/torque-2.1.99+r1247/src/lib/Liblog/chk_file_sec.c
> --- torque-2.1.99+r1247/src/lib/Liblog/chk_file_sec.c 2007-02-25 22:23:40.302825683 +0100
> +++ /tmp/dpep.gFzfbd/torque-2.1.99+r1247/src/lib/Liblog/chk_file_sec.c 2007-02-25 22:29:13.056630142 +0100
> @@ -250,6 +250,12 @@
> rc = EACCES;
> + /* check any remaining bits */
> + if (i & disallow & ~(S_IWGRP|S_IWOTH))
> + rc = EACCES;
Everytime we change this code, we break someone's odd corner case with
symlinks and NFS. I've gone ahead and applied the patch, but be sure to
watch the list for the eventual complaint :)
More information about the torquedev