Project

General

Profile

Bug #25560

Define RELEASE_DIR and BIN for the GLidien HTCondor

Added by Marco Mambelli about 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Urgent
Category:
Glidein
Target version:
Start date:
02/25/2021
Due date:
% Done:

0%

Estimated time:
First Occurred:
Occurs In:
Stakeholders:
Duration:

Description

It is important to set RELEASE_DIR in each HTCondor configuration.

This way HTCondor is able to find its own binary and libraries.
The defaults are:
BIN = $(RELEASE_DIR)/bin
SBIN = $(RELEASE_DIR)/sbin
LIB=$(RELEASE_DIR)/lib
LIBEXEC = $(RELEASE_DIR)/libexec

The default for RELEASE_DIR = /tmp/condorinstall0 ia also a security risk since /tmp could be written by all users.

There is a pull request: https://github.com/glideinWMS/glideinwms/pull/44

Hi all,

I wanted to point out a security issue in the default configuration of HTCondor + glideinWMS.

The HTCondor release from UW defaults RELEASE_DIR to /tmp/condorinstall0.  This means, in the absence of any other config (which, by default, there is) it will look for binaries in /tmp.

This is precisely what's happening in the glideinWMS configuration.  RELEASE_DIR is unset and various directories (but not all!) are set directly.

For example, BIN is not set in the generated configuration so, for all running glideins, BIN is set to /tmp/condorinstall0/bin.  Needless to say, I worry this opens things up to many shenanigans.  For example, Greg noticed that when doing "condor_ssh_to_job" to a Singularity job, the pilot tries to execute the binary in /tmp/condorinstall0/bin/condor_docker_enter (which, in all likelihood is *not* what we're looking for).

So, I think there's work all around:

1. HTCondor's compile time default for RELEASE_DIR should _not_ be /tmp/condorinstall0 but rather some traditionally root-owned directory (/usr/local?)
2. glideinWMS should set RELEASE_DIR to CONDOR_DIR by default.

Thanks,

Brian

History

#1 Updated by Marco Mambelli about 2 months ago

  • Target version changed from v3_7_3 to v3_6_7
  • Priority changed from Normal to Urgent
  • Status changed from New to Assigned

#2 Updated by Marco Mambelli about 2 months ago

  • Status changed from Assigned to Resolved

Code changes have been merged in master, will be in v3.7.3.

For hotfixes, the Factory should be modified.
  1. The file /var/lib/gwms-factory/web-base/condor_config should be modified. Add the line
    BIN = $(CONDOR_DIR)/bin

    Right before the line
    SBIN = $(CONDOR_DIR)/sbin
  2. Run a factory upgrade command

Also available in: Atom PDF