[torqueusers] [torquedev] TORQUE authorization security vulnerability
dbeer at adaptivecomputing.com
Wed Aug 10 13:37:00 MDT 2011
----- Original Message -----
> On Tuesday, 09 August 2011, at 17:00:41 (-0600),
> Ken Nielson wrote:
> > Here is the algorithm for the vulnerability. The work around is
> > pretty easy. Let us know if you have any comments.
> Clearly I'm missing something here.
> Sure, "privileged port" trust is only viable in certain
> carefully-firewalled and methodically-engineered scenarios. We
> learned that back in the mid-90's with NFS and RSH. Ditto for
> remotely-supplied data (including remote user identity).
> It seems to me that anyone who's seen an error message pop up with
> "ruserok()" in it already ought to know that very lax authentication
> and authorization is taking place. But TORQUE is only one of several
> such services in a clustered environment.
Absolutely right - what TORQUE does here is in no way rare for cluster software.
> It's not clear how any properly-managed system (read: firewalled
> and/or access controlled) would be vulnerable to this sort of attack.
> If you have root on an external system, you shouldn't be able to
> connect to the scheduler port anyway, so no dice. If you are a
> regular user on the internal system, you can't open a privileged port
> (and can probably already qsub anyway), so no dice.
> The only issue comes if someone gains root on an internal system. If
> that happens, quite frankly, submitting jobs to the scheduler will be
> the least of my worries.
> So what am I missing? :-)
Your reasoning is exactly why many sites that require extreme levels of security (i.e. are working with completely classified information) still use TORQUE as their resource manager.
Direct Line: 801-717-3386 | Fax: 801-717-3738
1656 S. East Bay Blvd. Suite #300
Provo, UT 84606
More information about the torqueusers