[torqueusers] [torquedev] TORQUE authorization security vulnerability
David Beer
dbeer at adaptivecomputing.com
Wed Aug 10 13:37:00 MDT 2011
----- Original Message -----
> On Tuesday, 09 August 2011, at 17:00:41 (-0600),
> Ken Nielson wrote:
>
> > Here is the algorithm for the vulnerability. The work around is
> > pretty easy. Let us know if you have any comments.
>
> Clearly I'm missing something here.
>
> Sure, "privileged port" trust is only viable in certain
> carefully-firewalled and methodically-engineered scenarios. We
> learned that back in the mid-90's with NFS and RSH. Ditto for
> remotely-supplied data (including remote user identity).
>
> It seems to me that anyone who's seen an error message pop up with
> "ruserok()" in it already ought to know that very lax authentication
> and authorization is taking place. But TORQUE is only one of several
> such services in a clustered environment.
>
Absolutely right - what TORQUE does here is in no way rare for cluster software.
> It's not clear how any properly-managed system (read: firewalled
> and/or access controlled) would be vulnerable to this sort of attack.
> If you have root on an external system, you shouldn't be able to
> connect to the scheduler port anyway, so no dice. If you are a
> regular user on the internal system, you can't open a privileged port
> (and can probably already qsub anyway), so no dice.
>
> The only issue comes if someone gains root on an internal system. If
> that happens, quite frankly, submitting jobs to the scheduler will be
> the least of my worries.
>
> So what am I missing? :-)
>
Your reasoning is exactly why many sites that require extreme levels of security (i.e. are working with completely classified information) still use TORQUE as their resource manager.
--
David Beer
Direct Line: 801-717-3386 | Fax: 801-717-3738
Adaptive Computing
1656 S. East Bay Blvd. Suite #300
Provo, UT 84606
More information about the torqueusers
mailing list