I just wrote a short page about the security issues and the location of patches for SGE 6.2u5 & Open Grid Scheduler/Grid Engine 2011.11:
http://gridscheduler.sourceforge.net/security.html Note that Oracle also fixed the code injection bug found by William in their CPU (Critical Patch Update) release today. Andy shared a buffer overflow issue in sgepasswd (first with me, and then he also shared it with all other forks - we didn't want to put security bug fixes as features in marketing slides...). The bug is also fixed by today's CPU. Rayson On Tue, Apr 17, 2012 at 4:57 PM, William Hay <[email protected]> wrote: > There is a security hole in most current versions of Grid Engine. The > problem occurs when using a dynamically linked program as > rlogin_daemon, rsh_daemon or qlogin_daemon or when running a > dynamically linked binary as prolog or epilog with elevated > privileges. This can be exploited by an ordinary user who submits a > job using the -v option to set environment variables that control the > dynamic linker such as > LD_LIBRARY_PATH or LD_PRELOAD on Linux. This allows the user to run > arbitrary code with elevated privileges (ie root). > > If you use the builtin daemons and don't have prolog or epilog running > with elevated privileges then you should be safe. > > All the major forks (Son of Grid Engine,Open Grid Scheduler, Univa > Grid Engine and Oracle Grid Engine) and several linux distros have > prepared patched versions which they should be releasing imminently. > > If you can't upgrade immediately then it should be possible to > protect your system by using a statically linked binary to sanitize > the environment. On RedHat and compatible versions of Linux busybox > is linked statically and provides an env command that can be used to > remove dangerous variables. On Debian and derivatives you need to > ensure you have the busybox-static package installed rather than plain > busybox. > > You can then protect your code with something like the following: > prolog root@/sbin/busybox env -u BASH_ENV -u > LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERLLIB -u IFS > /cm/shared/apps/sge/current/cm/prolog > epilog root@/sbin/busybox env -u BASH_ENV -u > LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERLLIB -u IFS > /cm/shared/apps/sge/current/cm/epilog > rlogin_daemon /sbin/busybox env -u BASH_ENV -u > LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERL5LIB -u PERLLIB -u > IFS /cm/shared/apps/sge/assist/bin/qrlogind > qlogin_daemon /sbin/busybox env -u BASH_ENV -u > LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERL5LIB -u PERLLIB -u > IFS /cm/shared/apps/sge/assist/bin/qlogind > rsh_daemon /sbin/busybox env -u BASH_ENV -u > LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERL5LIB -u PERLLIB -u > IFS /cm/shared/apps/sge/assist/bin/qrshd > > The above examples also remove a few other variables that the > interpreters we use for our scripts at UCL are sensitive to, > > Dave Love(of SoGE) has created a small wrapper program that removes > the various dynamic linker controlling variables with significantly > less verbiage which he should be releasing shortly. > > > > William > _______________________________________________ > users mailing list > [email protected] > https://gridengine.org/mailman/listinfo/users _______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
