These are intended to be used by sysadmins, and it's pretty explicit about what it does, so it should hopefully be clear when weird things are being added to the gridmap.
That said, it would be good to have some better error checking: - Escape quotes in the DN passed on the command-line - Check that the LN strings are valid usernames before they get mushed together into a shell string separated by whitespace - Improve the gridmap parsing in the part that checks if the DN is already in the gridmap As to your other question about newlines, the gridmap parser that the services use parses a line at a time, so I don't think newlines in quoted strings should affect it at all. I've added an issue into our tracker, though I think it's a fairly low priority issue https://globus.atlassian.net/browse/GT-564 Joe On Oct 16, 2014, at 10:11 AM, Paul Hopkins <[email protected]> wrote: > Hi all, > > We currently use Globus tools within our organisation to allow our users to > access a number of compute clusters. To manage the grid mapfiles across all > of the cluster sites we have developed software that periodically downloads > information from a central LDAP and updates the mapfile at each site. In > order for users to manage their own grid subjects there is a webpage which > allows the user to enter their grid subjects and these are then stored > unsanitised in the LDAP. We have now realised that by adding extra > double-quotes characters it is possible for users to enter malicious subjects > entries which would allow them to login to other peoples accounts. For > example if I enter a subject > > /DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins [email protected]" > albert.einstein " > > Then our tool would enter it into the mapfile as: > > "/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins [email protected]" > albert.einstein "" paul.hopkins > > which allows me to login as albert.einstein. > > I realise that the problem is entirely our own creation and we have now made > steps to prevent unescaped double quotes from being allowed through. However, > during my research I found that the Globus tool grid-mapfile-add-entry also > allows one to insert potentially dangerous subject entries. For example: > > # SUBJECT='/DC=org/DC=example/DC=grid/CN=Joe User" root "' > # grid-mapfile-add-entry -dn "${SUBJECT}" -ln joe.user > Modifying /etc/grid-security/grid-mapfile ... > New entry: > "/DC=org/DC=example/DC=grid/CN=Joe User" root "" joe.user > > Furthermore, grid-mapfile-check-consistency does not pick up on the problem > either. However, it does complain if you separate the user list with a comma > and a space: > > Checking /etc/grid-security/grid-mapfile grid mapfile > Verifying grid mapfile existence...OK > Checking for duplicate entries... > ERROR: Missing double quotes in the following entry: > "/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins [email protected]" > paul.hopkins, joe.user > OK > Checking for valid user names...OK > > I wonder if it is sufficient to just check for unescaped double quotes? It > may be possible to use new-lines but our workflow does not allow this. Is > there any other things we should be looking for? Should the Globus tools pick > up on these problems? > > Thanks in advance, > > Paul > > -- > Paul Hopkins > Computational Infrastructure Scientist > Cardiff University > > [email protected] > Office: +44 (0)2920 876964
