[Apologies if any of this is in postings I haven't read.] William Hay <[email protected]> writes:
> There is a security hole in most current versions of Grid Engine. It seems to be in all previous versions, at least above 5 (apart from proprietary binaries which seem to have been provided to customers while people who found the issue were embargoed). It has always been documented for LD_LIBRARY_PATH et al <http://arc.liv.ac.uk/SGE/adoc/libsgeobj.html#sgeobj-var-var_005flist_005fset_005fsharedlib_005fpath>. That might lead you -- like me -- to assume that specific case was fixed, until William found otherwise for remote startup (oddly, whilst I was pondering sensitive variables for the prolog case). > If you can't upgrade immediately then it should be possible to > protect your system by using a statically linked binary to sanitize > the environment. Unfortunately, on recent Solaris it isn't; it seems to be impossible to build static binaries, at least for some value of "impossible". The solution seems to be to employ an suid wrapper (see below) and a degree of trust in the loader. > rsh_daemon /sbin/busybox env -u BASH_ENV -u > LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERL5LIB -u PERLLIB -u > IFS /cm/shared/apps/sge/assist/bin/qrshd > > The above examples also remove a few other variables that the > interpreters we use for our scripts at UCL are sensitive to, [Not aimed at William:] The list of sensitive variables provided by GNU libc and sudo is longer, and is obviously different for other OSes, e.g. Darwin and AIX. For what it's worth, I haven't found a shell which imports IFS, and it's probably courageous to use privileged shell scripts generally. "perl -T" is documented to ignore environmental dangers and there's a similar option for Python but not, as far as I can tell for Ruby, for instance. > Dave Love(of SoGE) has created a small wrapper program that removes > the various dynamic linker controlling variables with significantly > less verbiage which he should be releasing shortly. See <http://arc.liv.ac.uk/downloads/SGE/support/safe_exec.tar.gz>. It would replace "/sbin/busybox env -u ..." in the examples above. I'll update it with any changes or build hints people are kind enough to report for systems they know about. HTH. I'll try to get a new SoGE release out shortly, but I'm very pressed, and things aren't helped by needing to jump after an anti-European embargo deadline time. Also note that Oracle have had a buffer overrun reported in sgepasswd (which needs to be installed setuid to be useful). I haven't been told what it is, but I'd already fixed some possibilities which will be in SGE 8.0.0e. If you have sgepasswd installed setuid and don't need it (currently only with MS Windows hosts, I think), chmod -s is a good idea. -- Community Grid Engine: http://arc.liv.ac.uk/SGE/ _______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
