[torqueusers] [torquedev] TORQUE authorization security vulnerability

David Beer dbeer at adaptivecomputing.com
Wed Aug 10 13:37:00 MDT 2011

----- Original Message -----
> On Tuesday, 09 August 2011, at 17:00:41 (-0600),
> Ken Nielson wrote:
> > Here is the algorithm for the vulnerability. The work around is
> > pretty easy. Let us know if you have any comments.
> Clearly I'm missing something here.
> Sure, "privileged port" trust is only viable in certain
> carefully-firewalled and methodically-engineered scenarios. We
> learned that back in the mid-90's with NFS and RSH. Ditto for
> remotely-supplied data (including remote user identity).
> It seems to me that anyone who's seen an error message pop up with
> "ruserok()" in it already ought to know that very lax authentication
> and authorization is taking place. But TORQUE is only one of several
> such services in a clustered environment.

Absolutely right - what TORQUE does here is in no way rare for cluster software.

> It's not clear how any properly-managed system (read: firewalled
> and/or access controlled) would be vulnerable to this sort of attack.
> If you have root on an external system, you shouldn't be able to
> connect to the scheduler port anyway, so no dice. If you are a
> regular user on the internal system, you can't open a privileged port
> (and can probably already qsub anyway), so no dice.
> The only issue comes if someone gains root on an internal system. If
> that happens, quite frankly, submitting jobs to the scheduler will be
> the least of my worries.
> So what am I missing? :-)

Your reasoning is exactly why many sites that require extreme levels of security (i.e. are working with completely classified information) still use TORQUE as their resource manager.

David Beer 
Direct Line: 801-717-3386 | Fax: 801-717-3738
     Adaptive Computing
     1656 S. East Bay Blvd. Suite #300
     Provo, UT 84606

More information about the torqueusers mailing list