[torqueusers] [torquedev] TORQUE authorization security vulnerability

"Mgr. Šimon Tóth" toth at fi.muni.cz
Tue Aug 9 17:06:52 MDT 2011

> Here is the algorithm for the vulnerability. The work around is pretty easy. Let us know if you have any comments.

The bigger issue is that this is an underestimated problem (yes this is 
a side bug).

Your are not safe if you fix this. If a site is not firewalled, or using 
ACL, or has machines which are not "safe" in ACL, then the site is 
completely open.

Each connection from a privileged port is marked as server connection 
and receives full access rights - this includes modifying any server 
setting, managing nodes, running any jobs under any desired account, etc...

The default setting for Torque after installation should definitely have 
ACL turned on. That way only configured nodes and the server can be used 
to initiate connections to the server.

If you want to enable connections from machines you have no control 
over, you have to use a different mechanism for that (we use GSSAPI).

Mgr. Simon Toth

More information about the torqueusers mailing list