Grid Security Vulnerability Group - Advisory -- Topic: fork job manager -- Date: 2007-08-16, updated 2010-08-16 -- ID: Grid Vulnerability Savannah bug #9055 -- Background The fork job manager is a necessary part of the basic functionality of the current LCG Computing Element, as used through Condor-G e.g. by the gLite Workload Management System. The fork job manager is used to start the so-called "grid-monitor" processes running on the LCG CE head node, needed to inform the WMS/Condor-G of the status of the jobs submitted to that CE. The presence of the fork job manager can be useful for debugging remote sites. -- Vulnerability Details If a user is allowed to submit jobs to a CE, that user also can run arbitrary commands on the CE head node itself, under the same account to which the user is mapped for running jobs in the batch system. Through the fork job manager it is easy to cause a Denial of Service on the CE. The user might start some service accepting connections from the world. The fork job manager also may allow the user to bypass the grid accounting to some extent, but not the batch system accounting. The jobs would appear as local jobs, but the DN can still be determined, unless a shared (e.g. sgm/prd) account was used. -- Grid Security Vulnerability Group Response This is only exploitable by an authorized user with valid credentials. Added 2010-08-16 Some sites are using a mitigation shown in the precautionary measures below. -- Component and Installation information. N/A -- Precautionary measures or checks Added 2010-08-16 This one-line patch for /opt/globus/lib/perl/Globus/GRAM/JobManager/fork.pm provides a mitigation against very easy abuse of the fork job manager e.g. through globus-job-run: ----------------------------------------------------------------------------- --- fork.pm.orig 2010-03-02 16:07:40.000000000 +0100 +++ fork.pm 2010-03-02 16:12:38.000000000 +0100 @@ -201,6 +201,8 @@ close( EXEC ); } + return Globus::GRAM::Error::JOBTYPE_NOT_SUPPORTED() unless $is_grid_monitor; + if($is_grid_monitor && $ENV{GLOBUS_GMA}) { push(@cmdline, "$ENV{GLOBUS_LOCATION}/libexec/grid_monitor_lite.sh"); } elsif($description->executable() =~ m:^(/|\.):) { ----------------------------------------------------------------------------- It causes any command to be rejected that does not look like a grid_monitor script. This patch is in use at some sites. The /opt/globus/setup/globus/fork.in template would need to have the same patch applied. -- Other information The CREAM CE available from gLite >= 3.1 uses neither the fork job manager nor the gatekeeper. The CREAM daemons do not allow the user to run anything on the CE head node. In the VDT distribution there exists an alternative to the standard fork job manager, viz. a special case of the Condor job manager that allows the admin to limit the number of jobs running on the head node at the same time, or grant preferential treatment to one group or another. However, it does not close the door to running arbitrary commands. Since the LCG-CE is foreseen to be phased out in favor of the gLite CREAM CE, there is no intention currently to put further effort into protecting the head node against abuse. Added 2010-08-16 This is being closed as it seems unlikely the issue will ever be fixed. The lcg-CE is foreseen to be phased out in favor of CREAM. There is a possibility that continued support for the LCG-CE may be needed for a while, though, as in the past there have been requests for continued support for job submission via the Globus GRAM-2 protocol, as used by the LCG-CE. -- Credit This vulnerability was initially reported by Stephen Burke -- Disclosure Timeline Yyyy-mm-dd 2005-06-15 Vulnerability reported by Stephen Burke 2005-11-11 Site security contacts informed according to the pre-EGEE-II vulnerability handling process. 2007-08-16 Public disclosure of advisory as public disclose has been agreed, Target Date has passed, and still not resolved. 2010-08-16 Advisory updated including mitigation - issue closed as no further action is expected to be taken -- References If applicable ==========================================================================