[torqueusers] [torquedev] TORQUE authorization security vulnerability
mej at lbl.gov
Wed Aug 10 13:15:52 MDT 2011
On Tuesday, 09 August 2011, at 17:00:41 (-0600),
Ken Nielson wrote:
> Here is the algorithm for the vulnerability. The work around is
> pretty easy. Let us know if you have any comments.
Clearly I'm missing something here.
Sure, "privileged port" trust is only viable in certain
carefully-firewalled and methodically-engineered scenarios. We
learned that back in the mid-90's with NFS and RSH. Ditto for
remotely-supplied data (including remote user identity).
It seems to me that anyone who's seen an error message pop up with
"ruserok()" in it already ought to know that very lax authentication
and authorization is taking place. But TORQUE is only one of several
such services in a clustered environment.
It's not clear how any properly-managed system (read: firewalled
and/or access controlled) would be vulnerable to this sort of attack.
If you have root on an external system, you shouldn't be able to
connect to the scheduler port anyway, so no dice. If you are a
regular user on the internal system, you can't open a privileged port
(and can probably already qsub anyway), so no dice.
The only issue comes if someone gains root on an internal system. If
that happens, quite frankly, submitting jobs to the scheduler will be
the least of my worries.
So what am I missing? :-)
Michael Jennings <mej at lbl.gov>
Linux Systems and Cluster Engineer
High-Performance Computing Services
Bldg 50B-3209E W: 510-495-2687
MS 050C-3396 F: 510-486-8615
More information about the torqueusers