[torqueusers] [torquedev] TORQUE authorization security vulnerability
Christopher Samuel
samuel at unimelb.edu.au
Tue Aug 9 19:00:47 MDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/08/11 09:00, Ken Nielson wrote:
> Torque's server, during authorization relies on data provided
> by "qsub" client.
Ouch, very NFS (well, non-kerberos NFS at least).. :-)
> Qsub provides submit host name to server (hidden way), which
> is used by server to authenticate request.
So, in other words, changing the pbs_server to ignore this
info from the client and just use its own info sources to get
the hostname will fix this in a backwards compatible way ?
i.e. look up clients IP address to get its purported hostname
and then check that the purported hostname resolves back to
the clients IP address..
cheers,
Chris
- --
Christopher Samuel - Senior Systems Administrator
VLSCI - Victorian Life Sciences Computation Initiative
Email: samuel at unimelb.edu.au Phone: +61 (0)3 903 55545
http://www.vlsci.unimelb.edu.au/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5B2D8ACgkQO2KABBYQAh88VwCeP7Qi1nQ7x31C0sfIq0ULzF8x
hTgAn1uOSzJrMjuoG1oMwy8nXeu20/Rq
=h0E6
-----END PGP SIGNATURE-----
More information about the torqueusers
mailing list