Hi, The last two days a security vulnerability in bash have been getting a lot of publicity. The CVE identifiers are CVE-2014-6271 and CVE-2014-7169, in some places the problem is referred to as "shellshock".
All major Linux distributions have released updated bash packages, so make sure you upgrade right away if you have not done so already. I first heard of this problem right after the Slurm user group meeting had ended, while me and some other attendees were going up the funicular in Lugano. BTW thanks everybody for a great meeting! I then spent all of yesterday getting back home, and my colleagues had already upgraded bash on our systems when I got there today. However I have spent some time investigating if you can trigger this bug by using Slurm. (with non-upgraded bash that is) Turns out that Yes you can, in some configurations. The requirement is that either PrologSlurmctld or EpilogSlurmctld is configured to a script that is run by bash. In that case any user that can run a job can also run commands as SlurmUser on the machine running slurmctld. The job name is exported to PrologSlurmctld/EpilogSlurmctld in the environment variable SLURM_JOB_NAME, so you simply submit a job with the exploit code as the job name. I have not found a way to directly obtain root access. Epilog and Prolog are executed as root on compute nodes, but users don't control any of the environment variables exported to those scripts. Regards, Pär Lindfors, NSC
