[torqueusers] [torquedev] TORQUE authorization security vulnerability

Christopher Samuel samuel at unimelb.edu.au
Tue Aug 9 19:00:47 MDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/08/11 09:00, Ken Nielson wrote:

> Torque's server, during authorization relies on data provided
> by "qsub" client.

Ouch, very NFS (well, non-kerberos NFS at least).. :-)

> Qsub provides submit host name to server (hidden way), which
> is used by server to authenticate request.

So, in other words, changing the pbs_server to ignore this
info from the client and just use its own info sources to get
the hostname will fix this in a backwards compatible way ?

i.e. look up clients IP address to get its purported hostname
and then check that the purported hostname resolves back to
the clients IP address..

cheers,
Chris
- -- 
    Christopher Samuel - Senior Systems Administrator
 VLSCI - Victorian Life Sciences Computation Initiative
 Email: samuel at unimelb.edu.au Phone: +61 (0)3 903 55545
         http://www.vlsci.unimelb.edu.au/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5B2D8ACgkQO2KABBYQAh88VwCeP7Qi1nQ7x31C0sfIq0ULzF8x
hTgAn1uOSzJrMjuoG1oMwy8nXeu20/Rq
=h0E6
-----END PGP SIGNATURE-----


More information about the torqueusers mailing list