You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
gentoo-overlay/sys-cluster/torque/files/TRQ-2885-limit-tm_adopt-to-...

135 lines
4.2 KiB

From f2f4c950f3d461a249111c8826da3beaafccace9 Mon Sep 17 00:00:00 2001
From: Chad Vizino <cvizino@adaptivecomputing.com>
Date: Tue, 23 Sep 2014 17:40:59 -0600
Subject: [PATCH 1/2] TRQ-2885 - limit tm_adopt() to only adopt a session id
that is owned by the calling user.
---
src/cmds/pbs_track.c | 6 ++++++
src/include/tm.h | 2 +-
src/include/tm_.h | 1 +
src/lib/Libifl/tm.c | 37 ++++++++++++++++++++++++++++++++++---
5 files changed, 56 insertions(+), 4 deletions(-)
diff --git a/src/cmds/pbs_track.c b/src/cmds/pbs_track.c
index 7a90fda..9383ea5 100644
--- a/src/cmds/pbs_track.c
+++ b/src/cmds/pbs_track.c
@@ -164,6 +164,12 @@ int main(
break;
+ case TM_EPERM:
+
+ fprintf(stderr, "pbs_track: permission denied: %s (%d)\n",
+ pbse_to_txt(rc),
+ rc);
+
default:
/* Unexpected error occurred */
diff --git a/src/include/tm.h b/src/include/tm.h
index 106d3fb..2288828 100644
--- a/src/include/tm.h
+++ b/src/include/tm.h
@@ -125,7 +125,7 @@ int tm_register(tm_whattodo_t *what,
/*
* DJH 15 Nov 2001.
* Generic "out-of-band" task adoption call for tasks parented by
- * another job management system. Minor security hole?
+ * another job management system.
* Cannot be called with any other tm call.
* 26 Feb 2002. Allows id to be jobid (adoptCmd = TM_ADOPT_JOBID)
* or some altid (adoptCmd = TM_ADOPT_ALTID)
diff --git a/src/include/tm_.h b/src/include/tm_.h
index c9393b9..8cae7b0 100644
--- a/src/include/tm_.h
+++ b/src/include/tm_.h
@@ -136,6 +136,7 @@ typedef unsigned int tm_task_id;
#define TM_EBADENVIRONMENT 17005
#define TM_ENOTFOUND 17006
#define TM_BADINIT 17007
+#define TM_EPERM 17008
#define TM_TODO_NOP 5000 /* Do nothing (the nodes value may be new) */
#define TM_TODO_CKPT 5001 /* Checkpoint <what> and continue it */
diff --git a/src/lib/Libifl/iff --git a/src/lib/Libifl/tm.c b/src/lib/Libifl/tm.c
index edb6273..4f38529 100644
--- a/src/lib/Libifl/tm.c
+++ b/src/lib/Libifl/tm.c
@@ -94,6 +94,7 @@
#include <errno.h>
#include <assert.h>
#include <sys/types.h>
+#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
@@ -169,6 +170,31 @@ typedef struct event_info
static event_info *event_hash[EVENT_HASH];
/*
+ * check if the owner of this process matches the owner of pid
+ * returns TRUE if so, FALSE otherwise
+ */
+bool ispidowner(pid_t pid)
+ {
+ char path[MAXPATHLEN];
+ struct stat sbuf;
+
+ /* build path to pid */
+ snprintf(path, sizeof(path), "/proc/%d", pid);
+
+ /* do the stat */
+ /* if it fails, assume not owner */
+ if (stat(path, &sbuf) != 0)
+ return(FALSE);
+
+ /* see if caller is the owner of pid */
+ if (getuid() != sbuf.st_uid)
+ return(FALSE);
+
+ /* caller is owner */
+ return(TRUE);
+ }
+
+/*
** Find an event number or return a NULL.
*/
event_info *find_event(
@@ -1800,8 +1826,8 @@ tm_poll_error:
* some mpiruns simply use rsh to start remote processes - no AMS
* tracking or management facilities are available.
*
- * This function allows any task (session) to be adopted into a PBS
- * job. It is used by:
+ * This function allows any task (session) owned by the owner
+ * of the job to be adopted into a PBS job. It is used by:
* - "adopter" (which is in turn used by our pvmrun)
* - our rmsloader wrapper (a home-brew replacement for RMS'
* rmsloader that does some work and then exec()s the real
@@ -1835,7 +1861,8 @@ tm_poll_error:
* the mom. Returns TM_ENOTFOUND if the mom couldn't find a job
* with the given RMS resource id. Returns TM_ESYSTEM or
* TM_ENOTCONNECTED if there was some sort of comms error talking
- * to the mom
+ * to the mom. Returns TM_EPERM if an attempt was made to adopt
+ * a session not owned by the owner of the job.
*
* Side effects:
* Sets the tm_* globals to fake values if tm_init() has never
@@ -1860,6 +1887,10 @@ int tm_adopt(
sid = getsid(pid);
+ /* do not adopt a sid not owned by caller */
+ if (!ispidowner(sid))
+ return(TM_EPERM);
+
/* Must be the only call to call to tm and
must only be called once */
--
1.8.3.2