[torquedev] [torqueusers] TORQUE authorization security vulnerability
samuel at unimelb.edu.au
Tue Aug 9 19:00:47 MDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 10/08/11 09:00, Ken Nielson wrote:
> Torque's server, during authorization relies on data provided
> by "qsub" client.
Ouch, very NFS (well, non-kerberos NFS at least).. :-)
> Qsub provides submit host name to server (hidden way), which
> is used by server to authenticate request.
So, in other words, changing the pbs_server to ignore this
info from the client and just use its own info sources to get
the hostname will fix this in a backwards compatible way ?
i.e. look up clients IP address to get its purported hostname
and then check that the purported hostname resolves back to
the clients IP address..
Christopher Samuel - Senior Systems Administrator
VLSCI - Victorian Life Sciences Computation Initiative
Email: samuel at unimelb.edu.au Phone: +61 (0)3 903 55545
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the torquedev