===================================================================== CERT-Renater Note d'Information No. 2009/VULN551 _____________________________________________________________________ DATE : 22/12/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Condor. ====================================================================== http://www.cs.wisc.edu/condor/manual/v7.4/8_3Stable_Release.html#SECTION00931000000000000000 ______________________________________________________________________ Version 7.4.1 Release Notes: * Security Item: A flaw was found that could allow a user who already is authorized to submit jobs into Condor, to queue a job under the guise of a different user. In this way, someone who has access to a Condor submission service and is allowed to submit jobs into Condor could gain access to another non-root or non-administrator account on the system. This flaw was discovered during the development process; no incidents have been reported. Details of the problem will be made available on Feb 1st, 2010. * The default value of JOB_ROUTER_NAME has changed from an empty string to jobrouter in order to address problems caused by the previous default. Without special handling, this means that jobs being managed by condor_job_router before upgrading will not be adopted by the new version of condor_job_router if the default JOB_ROUTER_NAME was being used. To correct this, follow the instructions given in the description of JOB_ROUTER_NAME on page [*]. New Features: * Allow submit files to specify IwdFlushNFSCache expression to control if Condor tries to flush the NFS cache for a job's initial working directory on job completion. * The new -attributes option to condor_status explicitly specifies the attributes to be listed when using the -xml or -long options. Configuration Variable and ClassAd Attribute Additions and Changes: * New VOMS attributes have been introduced into the job ad to keep them separate from the X509UserProxySubjectName. * The default for JOB_ROUTER_NAME has changed from an empty string to jobrouter. See the release notes for more information about upgrading from an old version. * The configuration variable TCP_FORWARDING_HOST has existed in Condor since version 7.0.0, but was not documented. See section 3.3.6 for documentation. Bugs Fixed: * Condor no longer creates the job sandbox in its SPOOL directory if it's not needed. * Fixed a problem introduced in Condor version 7.4.0 that caused GSI authentication between Condor processes to fail with using a non-legacy format X.509 proxy. * Fixed a problem with CCB under Windows platforms that has existed since Condor version 7.3.0. This problem caused CCB-enabled daemons to become unresponsive after the exit of a child process. * Improved the handling of previously-submitted gt2 grid jobs upon release from hold, when there is no Globus job manager for the job running on the remote resource. * Fixed a problem with job leases for jobs that use a condor_shadow. Previously, while these jobs were running, lease renewals from the submitter would not be noticed, and the job would be aborted when the original lease expired. * Fixed a bug that only allowed about 50 splices to be included into a DAG input file. There is now no limit to the number of splices one may include into a DAG input file except, of course, for the implicit memory allocation limit of the condor_dagman process. * Removed attempted limiting of swap space via 'ulimit -v' using the VirtualMemory parameter in condor_limits_wrapper.sh * Fixed a bug that caused ALLOW_CONFIG and HOSTALLOW_CONFIG as well as the corresponding DENY configuration variables to incorrectly handle a setting consisting of a single * or the equivalent */*. This also fixes a bug that caused incorrect merging of ALLOW and HOSTALLOW settings when one, but not both, consisted of a single * or the equivalent */*. These bugs have existed since before Condor version 6.8. * Fixed a bug introduced in Condor version 7.3.0 that could cause Condor daemons to crash when reading malformed network addresses. * Removed a check for root ownership of script specified by VM_SCRIPT * Fixed a bug in writing the header of the EVENT_LOG * Fixed a bug that could cause the condor_startd to segfault on shutdown when using dynamic slots. * Fixed a problem introduced in Condor version 7.3.2 that changed the behavior of an undocumented method for selecting attributes to be displayed in condor_q -xml. Prior to this bug, the following command would produce XML output with the attributes A and B, plus a few other attributes that were always shown. condor_q -xml -format "%s" A+B In Condor versions 7.3.2 and 7.4.0, this same command produced an empty XML ClassAd. The workaround was to use multiple -format options, each listing just one desired attribute, rather than a single one with an expression of all desired attributes. Although this is now fixed, the more straightforward way to select attributes since Condor version 7.3.2 is to use the -attributes option. * Fixed a bug introduced in Condor version 7.3.2 that resulted in messages such as the following even in cases where no problem in communicating with the condor_collector had been encountered: Collector is still being avoided if an alternative succeeds. * Fixed a bug that has been in the condor_startd since before Condor version 6.8. If the condor_startd ever failed to send signals to the condor_starter process, it could fail to properly clean up the machine ClassAd, leaving attributes from STARTD_JOB_EXPRS in the ClassAd but not making them visible in condor_status queries. One possible problem resulting from this could be matches being made by the condor_negotiator that are then rejected by the condor_startd. Repeated messages such as the following would then result in the condor_startd log: slot1: Request to claim resource refused. * Fixed a problem that resulted in the following message in the condor_startd log: Timer -1 not found * Fixed a problem in which security sessions were not cached correctly when using CCB. This resulted in re-authentication in some cases where a cached security session could have been used. * Fixed multiple problems with the handling of VOMS attributes in GSI proxies. * Fixed a bug that caused condor_dagman to hang when running a DAG with POST scripts, if the global event log is turned on. * Improved how the private network address is published when using the configuration variables PRIVATE_NETWORK_NAME and PRIVATE_NETWORK_INTERFACE. In some cases, this information was not being used and therefore connections were made to the public address when they could have been made to the private address. * Fixed a bug in Windows XP where using USE_VISIBLE_DESKTOP would cause strange behavior after a job completed. * CCB now works with TCP_FORWARDING_HOST. Previously, the reverse connection was made to the private address rather than to the host defined by TCP_FORWARDING_HOST. * Removed a bad optimization that caused some information about job execution to be lost during job completion or removal, if a history file was not configured. * Condor now checks whether the configuration variable GRIDFTP_URL_BASE is set before submitting cream grid jobs, as that variable is required for cream jobs to function properly. If the variable is not set, cream jobs are put on hold with an appropriate message. * Fixed a bug that allowed running VMs to be leaked if the condor_startd crashed. * Fixed a bug in cream_gahp which could cause crashes when there were more than 500 cream jobs queued. * Improved recovery when Condor crashes during submission of a cream grid job. Before, affected jobs would remain in REGISTERED state on the cream server, but never run. * Improved the HoldReason message when cream grid jobs are held by the condor_gridmanager. * When naming a resource for a cream grid job, Condor now properly recognizes the format used by the standard cream client UI: https://foo.edu:8443/cream-pbs-cream_queue. * The configuration variable SOAP_SSL_CA_FILE is now consulted in addition to SOAP_SSL_CA_DIR when authenticating an https proxy for Amazon EC2, when AMAZON_HTTP_PROXY is defined. * Previously, if condor_rm and friends were given both a constraint and a user name or cluster id, they would act on all jobs matching the constraint and all jobs associated with the user or cluster. Now, this combination of arguments results in an error. * Failure to purge a Cream grid universe job from the remote server because it was previously purged no longer results in the job being held. * The condor_gridmanager now recognizes VOMS attributes in X509 proxies and will handle them appropriately. For example, it recognizes that two proxies with the same identity but different VOMS attributes may be mapped to different accounts on a remote machine. * Added STARTD_PER_JOB_HISTORY_DIR to allow ads of completed jobs to be stored in a directory separate from the existing PER_JOB_HISTORY_DIR. * Fixed a bug in condor_dagman (introduced in 7.3.2) that will cause condor_dagman running on Windows to hang on any DAG using more than one log file for the node jobs. * Fixed a bug in condor_dagman (introduced in 7.3.2) that could cause condor_dagman to fail on a DAG using node job log files on multiple devices (if log files on different devices happened to have the same inode number). * Fixed a bug that caused the condor_schedd to segfault when spooling more than 9 files. * Fixed a bug that caused the condor_startd to crash on Debian Stable. * Fixed keyboard activity detection on Windows XP. * Fixed a bug in condor_had that caused it to be not start the controlled daemon if CCB was enabled. Known Bugs: * condor_dagman may fail on Windows if the set of node job log file names includes multiple paths that are hard links (not symlinks) to the same file. Additions and Changes to the Manual: * None. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================