Thanks William, We (Univa) do have a distribution available now, and it has been tested on production clusters. Once again thanks for reporting this and we are glad to work with everyone on Security Issues.
Regards, Bill. On 2012-04-17, at 4:57 PM, William Hay wrote: > There is a security hole in most current versions of Grid Engine. The > problem occurs when using a dynamically linked program as > rlogin_daemon, rsh_daemon or qlogin_daemon or when running a > dynamically linked binary as prolog or epilog with elevated > privileges. This can be exploited by an ordinary user who submits a > job using the -v option to set environment variables that control the > dynamic linker such as > LD_LIBRARY_PATH or LD_PRELOAD on Linux. This allows the user to run > arbitrary code with elevated privileges (ie root). > > If you use the builtin daemons and don't have prolog or epilog running > with elevated privileges then you should be safe. > > All the major forks (Son of Grid Engine,Open Grid Scheduler, Univa > Grid Engine and Oracle Grid Engine) and several linux distros have > prepared patched versions which they should be releasing imminently. > > If you can't upgrade immediately then it should be possible to > protect your system by using a statically linked binary to sanitize > the environment. On RedHat and compatible versions of Linux busybox > is linked statically and provides an env command that can be used to > remove dangerous variables. On Debian and derivatives you need to > ensure you have the busybox-static package installed rather than plain > busybox. > > You can then protect your code with something like the following: > prolog root@/sbin/busybox env -u BASH_ENV -u > LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERLLIB -u IFS > /cm/shared/apps/sge/current/cm/prolog > epilog root@/sbin/busybox env -u BASH_ENV -u > LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERLLIB -u IFS > /cm/shared/apps/sge/current/cm/epilog > rlogin_daemon /sbin/busybox env -u BASH_ENV -u > LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERL5LIB -u PERLLIB -u > IFS /cm/shared/apps/sge/assist/bin/qrlogind > qlogin_daemon /sbin/busybox env -u BASH_ENV -u > LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERL5LIB -u PERLLIB -u > IFS /cm/shared/apps/sge/assist/bin/qlogind > rsh_daemon /sbin/busybox env -u BASH_ENV -u > LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERL5LIB -u PERLLIB -u > IFS /cm/shared/apps/sge/assist/bin/qrshd > > The above examples also remove a few other variables that the > interpreters we use for our scripts at UCL are sensitive to, > > Dave Love(of SoGE) has created a small wrapper program that removes > the various dynamic linker controlling variables with significantly > less verbiage which he should be releasing shortly. > > > > William > _______________________________________________ > users mailing list > [email protected] > https://gridengine.org/mailman/listinfo/users William Bryce | VP of Products Univa Corporation - 1001 Warrenville Road, Suite 100 Lisle, Il, 65032 USA Email [email protected] | Mobile: 512.751.8014 | Office: 416.519.2934 _______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
