On Tue, Apr 17, 2012 at 5:34 PM, Reuti <[email protected]> wrote: > If you run a prolog/epilog script under root account there might be even more > depending on $PATH or other used (uninitialized) environment variables which > are used therein.
If you Google for this kind of security bugs, you will find that there is always *1 more* env var that can change the behavior but is not filtered in other software. Rayson P.S. I will update the Open Grid Scheduler project homepage shortly. > > The best is to run them just as the ordinary user who runs the job anyway. > > NB: Don't forget about start/stop_proc_args ;-) > > -- Reuti > > >> If you use the builtin daemons and don't have prolog or epilog running >> with elevated privileges then you should be safe. >> >> All the major forks (Son of Grid Engine,Open Grid Scheduler, Univa >> Grid Engine and Oracle Grid Engine) and several linux distros have >> prepared patched versions which they should be releasing imminently. >> >> If you can't upgrade immediately then it should be possible to >> protect your system by using a statically linked binary to sanitize >> the environment. On RedHat and compatible versions of Linux busybox >> is linked statically and provides an env command that can be used to >> remove dangerous variables. On Debian and derivatives you need to >> ensure you have the busybox-static package installed rather than plain >> busybox. >> >> You can then protect your code with something like the following: >> prolog root@/sbin/busybox env -u BASH_ENV -u >> LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERLLIB -u IFS >> /cm/shared/apps/sge/current/cm/prolog >> epilog root@/sbin/busybox env -u BASH_ENV -u >> LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERLLIB -u IFS >> /cm/shared/apps/sge/current/cm/epilog >> rlogin_daemon /sbin/busybox env -u BASH_ENV -u >> LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERL5LIB -u PERLLIB -u >> IFS /cm/shared/apps/sge/assist/bin/qrlogind >> qlogin_daemon /sbin/busybox env -u BASH_ENV -u >> LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERL5LIB -u PERLLIB -u >> IFS /cm/shared/apps/sge/assist/bin/qlogind >> rsh_daemon /sbin/busybox env -u BASH_ENV -u >> LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERL5LIB -u PERLLIB -u >> IFS /cm/shared/apps/sge/assist/bin/qrshd >> >> The above examples also remove a few other variables that the >> interpreters we use for our scripts at UCL are sensitive to, >> >> Dave Love(of SoGE) has created a small wrapper program that removes >> the various dynamic linker controlling variables with significantly >> less verbiage which he should be releasing shortly. >> >> >> >> William >> _______________________________________________ >> users mailing list >> [email protected] >> https://gridengine.org/mailman/listinfo/users > > > _______________________________________________ > users mailing list > [email protected] > https://gridengine.org/mailman/listinfo/users _______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
