Hi all, We currently use Globus tools within our organisation to allow our users to access a number of compute clusters. To manage the grid mapfiles across all of the cluster sites we have developed software that periodically downloads information from a central LDAP and updates the mapfile at each site. In order for users to manage their own grid subjects there is a webpage which allows the user to enter their grid subjects and these are then stored unsanitised in the LDAP. We have now realised that by adding extra double-quotes characters it is possible for users to enter malicious subjects entries which would allow them to login to other peoples accounts. For example if I enter a subject
/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins [email protected]" albert.einstein " Then our tool would enter it into the mapfile as: "/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins [email protected]" albert.einstein "" paul.hopkins which allows me to login as albert.einstein. I realise that the problem is entirely our own creation and we have now made steps to prevent unescaped double quotes from being allowed through. However, during my research I found that the Globus tool grid-mapfile-add-entry also allows one to insert potentially dangerous subject entries. For example: # SUBJECT='/DC=org/DC=example/DC=grid/CN=Joe User" root "' # grid-mapfile-add-entry -dn "${SUBJECT}" -ln joe.user Modifying /etc/grid-security/grid-mapfile ... New entry: "/DC=org/DC=example/DC=grid/CN=Joe User" root "" joe.user Furthermore, grid-mapfile-check-consistency does not pick up on the problem either. However, it does complain if you separate the user list with a comma and a space: Checking /etc/grid-security/grid-mapfile grid mapfile Verifying grid mapfile existence...OK Checking for duplicate entries... ERROR: Missing double quotes in the following entry: "/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins [email protected]" paul.hopkins, joe.user OK Checking for valid user names...OK I wonder if it is sufficient to just check for unescaped double quotes? It may be possible to use new-lines but our workflow does not allow this. Is there any other things we should be looking for? Should the Globus tools pick up on these problems? Thanks in advance, Paul -- Paul Hopkins Computational Infrastructure Scientist Cardiff University [email protected] Office: +44 (0)2920 876964
