[torqueusers] Re: torque insecure information exposure

Garrick Staples garrick at usc.edu
Tue Oct 19 16:41:56 MDT 2004


Thank you Dave,
    This seems to be the desired behaviour.  I'll be rolling this out in
production soon.

On Mon, Oct 18, 2004 at 12:06:41PM -0600, jacksond at supercluster.org alleged:
> Garrick,
> 
>   The latest torque-1.1.0p4 snapshot now disables display of job 
> environment variables if the requestor is not the job owner and not an 
> admin or manager.  Please test this out at your convenience.  (It is a 
> pbs_server only change so no update of the pbs_mom daemons will be 
> required).  Things worked in local testing, please let us know what you 
> find.  If this works ok, please feel free to announce this to the list.
> 
> Dave
> 
> On Mon, 18 Oct 2004, Garrick Staples wrote:
> 
> >Hello, sorry to email you directly, but I didn't think this should be on 
> >the
> >torque list yet.
> >
> >I just realized that 'qstat -f' will happily dump a user's entire list of 
> >env
> >variables to anyone that asks.  Now, before you say, "but you can turn 
> >that off
> >with query_other_jobs"... that isn't enough.  query_other_jobs shouldn't 
> >allow
> >access to such sensitive information.
> >
> >pbs_server needs to refuse env vars to anyone that isn't in the manager's 
> >list.
> >
> >

-- 
Garrick Staples, Linux/HPCC Administrator
University of Southern California
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.supercluster.org/pipermail/torqueusers/attachments/20041019/85352ef1/attachment.bin


More information about the torqueusers mailing list