Debian Bug report logs - #524980
SLURM daemons do not drop supplemental groups

version graph

Package: slurm-llnl; Maintainer for slurm-llnl is Debian HPC Team <debian-hpc@lists.debian.org>;

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Tue, 21 Apr 2009 09:57:02 UTC

Severity: grave

Tags: patch, security

Found in version slurm-llnl/1.3.6-1

Fixed in versions 1.3.6-1lenny3, slurm-llnl/1.3.15-1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>:
Bug#524980; Package slurm-llnl. (Tue, 21 Apr 2009 09:57:05 GMT) (full text, mbox, link).


Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Gennaro Oliva <oliva.g@na.icar.cnr.it>. (Tue, 21 Apr 2009 09:57:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>
To: submit@bugs.debian.org
Subject: SLURM daemons do not drop supplemental groups
Date: Tue, 21 Apr 2009 11:50:34 +0200
[Message part 1 (text/plain, inline)]
Package: slurm-llnl
Version: 1.3.6-1
Severity: grave
Tags: security patch pending


The following issue has been reported on the slurm-llnl mailinglist.
Updated packages are in preparation.

----------  Forwarded Message  ----------

A security flaw has been discovered in all releases of SLURM
versions 1.2 and 1.3. This flaw can be exploited by legitimate
users of a computer to increase their privileges based upon
the supplemental groups available to the SLURM daemons.


Description

A vulnerability exists in the current SLURM sbcast implementation.
The result of this flaw is that sbcast may not properly establish
user supplementary groups before opening files for writing, instead
inheriting the supplementary group list from the slurmd daemon,
which may contain system groups with elevated privileges.

Similar logic exists in support of the strigger command. If the
SlurmUser is configured to be root, unprivileged users may execute
a program inheriting the supplementary group list from the slurmctld
daemon, which may contain system groups with elevated privileges.

You can check the current list of supplementary groups that would be
inherited from these daemons by running the following command:

    grep ^Groups /proc/`pidof slurmd`/status
    grep ^Groups /proc/`pidof slurmctld`/status


Impact

A valid SLURM user may be able to write files in directories with
group write access for one of the inherited groups and/or may be able
to overwrite files with similar group write access. Depending upon
system configuration, this may allow a user to gain elevated privileges.


Solution

We are providing four options to fix this problem.

1. Apply the initgroups.patch2 to an existing SLURM version 1.3
    or 1.2 distribution.

2. Install the nogroups.c wrapper to start the SLURM daemons without
    any supplemental groups. This can be used with most configurations
    and no change in the installed SLURM code.

3. Install SLURM version 1.3.14, which is the same as version
    1.3.13 (a very stable release made on 13 January 2009) plus
    initgroups.patch2.

4. Install SLURM version 1.3.15, which includes initgroups.patch2
    plus support for BlueGene/P systems, an assortment of minor
    bug fixes and some minor enhancements.

After performing one of these changes, the SLURM daemons must be
restarted for the change to take effect.

SLURM version 1.4.0-pre12 was also released today for those working
with a beta version of the next major release.
-------------------------------------------------------
[initgroups.patch2 (text/x-diff, attachment)]
[nogroups.c (text/x-csrc, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug marked as fixed in version 1.3.6-1lenny3, send any further explanations to Thijs Kinkhorst <thijs@debian.org> Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Tue, 21 Apr 2009 10:48:12 GMT) (full text, mbox, link).


Bug marked as fixed in version 1.3.15-1, send any further explanations to Thijs Kinkhorst <thijs@debian.org> Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Tue, 21 Apr 2009 10:48:13 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Jul 2009 07:37:42 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Aug 2 01:31:13 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.