[torquedev] [Bug 84] New: Security bug on the way checkpoint is being handled

Mon Sep 27 08:25:25 MDT 2010

http://www.clusterresources.com/bugzilla/show_bug.cgi?id=84

           Summary: Security bug on the way checkpoint is being handled
           Product: TORQUE
           Version: 2.4.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: pbs_server
        AssignedTo: glen.beane at gmail.com
        ReportedBy: robinr at muohio.edu
                CC: torquedev at supercluster.org
   Estimated Hours: 0.0

Sequence of events:
1) user1 submitted a job with checkpoint enabled
2) user1 qhold it (i.e., checkpoints it), 
3) pbs_server will create
/var/spool/torque/checkpoint/110760.torque.hpc.muohio.edu.CK/ and then
root at compute-node will do scp the checkpoint-context to
user1 at torque-server:/var/spool/torque/checkpoint/110760.torque.hpc.muohio.edu.CK/

The checkpoint directory right now is being created with 777 without the sticky
bit. As a side note, because user1 needs to write into the checkpoint dir
(because of the scp command), /var/spool/torque/checkpoint needs to be at least
others-executable.

This combination allows all other users to replace the user1's checkpoint file
under the check point dir. This presents a security risk.

A simple patch to job_func.c will fix this, in 2.4.10 source,

# diff ./job_func.c ./job_func.c.dist
1119c1119
<   if ((mkdir(serverfile, 01777) == -1) && (errno != EEXIST))
---
>   if ((mkdir(serverfile, 0777) == -1) && (errno != EEXIST))

Perhaps, other ways to fix it is to create 110760.torque.hpc.muohio.edu.CK with
user1 as owner and just 700 the 110760.torque.hpc.muohio.edu.CK directory.

-- 
Configure bugmail: http://www.clusterresources.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.