[torqueusers] [torquedev] TORQUE authorization security vulnerability

David Beer dbeer at adaptivecomputing.com
Tue Aug 9 15:19:00 MDT 2011

----- Original Message -----
> On 08/10/2011 06:40 AM, "Mgr. Šimon Tóth" wrote:
> >> I do not know how wide spread this is but there is a security
> >> vulnerability in the TORQUE authorization between client and server
> >> when using the default authorization method. Using MUNGE closes
> >> this hole but we would like to add an additional, more universal
> >> secure authorization method.
> >
> > There was a high risk security advisory from EGI-CSIRT, so it should
> > be
> > pretty wide spread. Our security guys were pretty shocked when I
> > explained that any root on any machine (ignoring the ACL which we
> > are
> > using of course) has full access to the server. :-D
> Hmmm, I guess the details are being kept undisclosed? How does a site
> find out if it is an issue for them?
> David

Essentially, TORQUE uses the idea for cluster security that individual machines in the cluster are secure, therefore you can trust root users. (For the record, this isn't due to something that Adaptive Computing has changed or even a decision made by Adaptive Computing. This is how security has been done in TORQUE from the beginning)

For many sites, this makes them uncomfortable because it doesn't truly additional security for itself, but it isn't a problem because having root access is secured. That being said, it is very desirable to have improved security.

David Beer 
Direct Line: 801-717-3386 | Fax: 801-717-3738
     Adaptive Computing
     1656 S. East Bay Blvd. Suite #300
     Provo, UT 84606

More information about the torqueusers mailing list