[torqueusers] [torquedev] TORQUE authorization security vulnerability
David.Singleton at anu.edu.au
Tue Aug 9 15:05:17 MDT 2011
On 08/10/2011 06:40 AM, "Mgr. Šimon Tóth" wrote:
>> I do not know how wide spread this is but there is a security vulnerability in the TORQUE authorization between client and server when using the default authorization method. Using MUNGE closes this hole but we would like to add an additional, more universal secure authorization method.
> There was a high risk security advisory from EGI-CSIRT, so it should be
> pretty wide spread. Our security guys were pretty shocked when I
> explained that any root on any machine (ignoring the ACL which we are
> using of course) has full access to the server. :-D
Hmmm, I guess the details are being kept undisclosed? How does a site
find out if it is an issue for them?
More information about the torqueusers