Hi Joe, Thanks for looking at this, this definitely answers my question. So I think that in our case it is sufficient to just check for unescaped double quotes in DN strings.
Thanks again, Paul On 16 October 2014 20:14, Joseph Bester <[email protected]> wrote: > These are intended to be used by sysadmins, and it's pretty explicit about > what it does, so it should hopefully be clear when weird things are being > added to the gridmap. > > That said, it would be good to have some better error checking: > - Escape quotes in the DN passed on the command-line > - Check that the LN strings are valid usernames before they get mushed > together into a shell > string separated by whitespace > - Improve the gridmap parsing in the part that checks if the DN is already > in the gridmap > > As to your other question about newlines, the gridmap parser that the > services use parses a line at a time, so I don't think newlines in quoted > strings should affect it at all. > > I've added an issue into our tracker, though I think it's a fairly low > priority issue https://globus.atlassian.net/browse/GT-564 > > Joe > > On Oct 16, 2014, at 10:11 AM, Paul Hopkins <[email protected]> > wrote: > > > Hi all, > > > > We currently use Globus tools within our organisation to allow our users > to access a number of compute clusters. To manage the grid mapfiles across > all of the cluster sites we have developed software that periodically > downloads information from a central LDAP and updates the mapfile at each > site. In order for users to manage their own grid subjects there is a > webpage which allows the user to enter their grid subjects and these are > then stored unsanitised in the LDAP. We have now realised that by adding > extra double-quotes characters it is possible for users to enter malicious > subjects entries which would allow them to login to other peoples accounts. > For example if I enter a subject > > > > /DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins [email protected]" > albert.einstein " > > > > Then our tool would enter it into the mapfile as: > > > > "/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins [email protected]" > albert.einstein "" paul.hopkins > > > > which allows me to login as albert.einstein. > > > > I realise that the problem is entirely our own creation and we have now > made steps to prevent unescaped double quotes from being allowed through. > However, during my research I found that the Globus tool > grid-mapfile-add-entry also allows one to insert potentially dangerous > subject entries. For example: > > > > # SUBJECT='/DC=org/DC=example/DC=grid/CN=Joe User" root "' > > # grid-mapfile-add-entry -dn "${SUBJECT}" -ln joe.user > > Modifying /etc/grid-security/grid-mapfile ... > > New entry: > > "/DC=org/DC=example/DC=grid/CN=Joe User" root "" joe.user > > > > Furthermore, grid-mapfile-check-consistency does not pick up on the > problem either. However, it does complain if you separate the user list > with a comma and a space: > > > > Checking /etc/grid-security/grid-mapfile grid mapfile > > Verifying grid mapfile existence...OK > > Checking for duplicate entries... > > ERROR: Missing double quotes in the following entry: > "/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins [email protected]" > paul.hopkins, joe.user > > OK > > Checking for valid user names...OK > > > > I wonder if it is sufficient to just check for unescaped double quotes? > It may be possible to use new-lines but our workflow does not allow this. > Is there any other things we should be looking for? Should the Globus tools > pick up on these problems? > > > > Thanks in advance, > > > > Paul > > > > -- > > Paul Hopkins > > Computational Infrastructure Scientist > > Cardiff University > > > > [email protected] > > Office: +44 (0)2920 876964 > > -- Paul Hopkins Computational Infrastructure Scientist Cardiff University [email protected] Office: +44 (0)2920 876964
