[gridengine users] Security hole in most versions of Grid Engine

Rayson Ho rayson at scalablelogic.com
Tue Apr 17 21:39:25 UTC 2012


On Tue, Apr 17, 2012 at 5:34 PM, Reuti <reuti at staff.uni-marburg.de> wrote:
> If you run a prolog/epilog script under root account there might be even more depending on $PATH or other used (uninitialized) environment variables which are used therein.

If you Google for this kind of security bugs, you will find that there
is always *1 more* env var that can change the behavior but is not
filtered in other software.

Rayson

P.S. I will update the Open Grid Scheduler project homepage shortly.

>
> The best is to run them just as the ordinary user who runs the job anyway.
>
> NB: Don't forget about start/stop_proc_args ;-)
>
> -- Reuti
>
>
>> If you use the builtin daemons and don't have prolog or epilog running
>> with elevated privileges then you should be safe.
>>
>> All the major forks (Son of Grid Engine,Open Grid Scheduler, Univa
>> Grid Engine and Oracle Grid Engine)  and several linux distros have
>> prepared patched versions which they should be releasing imminently.
>>
>> If you can't upgrade immediately  then it should be possible to
>> protect your system by using a statically linked binary to sanitize
>> the environment.  On RedHat and compatible versions of Linux busybox
>> is linked statically and provides an env command that can be used to
>> remove dangerous variables.  On Debian and derivatives you need to
>> ensure you have the busybox-static package installed rather than plain
>> busybox.
>>
>> You can then protect your code with something like the following:
>> prolog                       root@/sbin/busybox env -u BASH_ENV -u
>> LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERLLIB -u IFS
>> /cm/shared/apps/sge/current/cm/prolog
>> epilog                       root@/sbin/busybox env -u BASH_ENV -u
>> LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERLLIB -u IFS
>> /cm/shared/apps/sge/current/cm/epilog
>> rlogin_daemon                /sbin/busybox env -u BASH_ENV -u
>> LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERL5LIB -u PERLLIB -u
>> IFS /cm/shared/apps/sge/assist/bin/qrlogind
>> qlogin_daemon                /sbin/busybox env -u BASH_ENV -u
>> LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERL5LIB -u PERLLIB -u
>> IFS /cm/shared/apps/sge/assist/bin/qlogind
>> rsh_daemon                   /sbin/busybox env -u BASH_ENV -u
>> LD_LIBRARY_PATH -u LD_PRELOAD -u PERL5OPT -u PERL5LIB -u PERLLIB -u
>> IFS /cm/shared/apps/sge/assist/bin/qrshd
>>
>> The above examples also remove a few other variables that the
>> interpreters we use for our scripts at UCL are sensitive to,
>>
>> Dave Love(of SoGE) has created a small wrapper program that removes
>> the various dynamic linker controlling variables with significantly
>> less verbiage which he should be releasing shortly.
>>
>>
>>
>> William
>> _______________________________________________
>> users mailing list
>> users at gridengine.org
>> https://gridengine.org/mailman/listinfo/users
>
>
> _______________________________________________
> users mailing list
> users at gridengine.org
> https://gridengine.org/mailman/listinfo/users




More information about the users mailing list