[torqueusers] [torquedev] TORQUE authorization security vulnerability

David Beer dbeer at adaptivecomputing.com
Wed Aug 10 13:37:00 MDT 2011



----- Original Message -----
> On Tuesday, 09 August 2011, at 17:00:41 (-0600),
> Ken Nielson wrote:
> 
> > Here is the algorithm for the vulnerability. The work around is
> > pretty easy. Let us know if you have any comments.
> 
> Clearly I'm missing something here.
> 
> Sure, "privileged port" trust is only viable in certain
> carefully-firewalled and methodically-engineered scenarios. We
> learned that back in the mid-90's with NFS and RSH. Ditto for
> remotely-supplied data (including remote user identity).
> 
> It seems to me that anyone who's seen an error message pop up with
> "ruserok()" in it already ought to know that very lax authentication
> and authorization is taking place. But TORQUE is only one of several
> such services in a clustered environment.
> 

Absolutely right - what TORQUE does here is in no way rare for cluster software.

> It's not clear how any properly-managed system (read: firewalled
> and/or access controlled) would be vulnerable to this sort of attack.
> If you have root on an external system, you shouldn't be able to
> connect to the scheduler port anyway, so no dice. If you are a
> regular user on the internal system, you can't open a privileged port
> (and can probably already qsub anyway), so no dice.
> 
> The only issue comes if someone gains root on an internal system. If
> that happens, quite frankly, submitting jobs to the scheduler will be
> the least of my worries.
> 
> So what am I missing? :-)
> 

Your reasoning is exactly why many sites that require extreme levels of security (i.e. are working with completely classified information) still use TORQUE as their resource manager.

-- 
David Beer 
Direct Line: 801-717-3386 | Fax: 801-717-3738
     Adaptive Computing
     1656 S. East Bay Blvd. Suite #300
     Provo, UT 84606



More information about the torqueusers mailing list