From f2f4c950f3d461a249111c8826da3beaafccace9 Mon Sep 17 00:00:00 2001 From: Chad Vizino Date: Tue, 23 Sep 2014 17:40:59 -0600 Subject: [PATCH 1/2] TRQ-2885 - limit tm_adopt() to only adopt a session id that is owned by the calling user. --- src/cmds/pbs_track.c | 6 ++++++ src/include/tm.h | 2 +- src/include/tm_.h | 1 + src/lib/Libifl/tm.c | 37 ++++++++++++++++++++++++++++++++++--- 5 files changed, 56 insertions(+), 4 deletions(-) diff --git a/src/cmds/pbs_track.c b/src/cmds/pbs_track.c index 7a90fda..9383ea5 100644 --- a/src/cmds/pbs_track.c +++ b/src/cmds/pbs_track.c @@ -164,6 +164,12 @@ int main( break; + case TM_EPERM: + + fprintf(stderr, "pbs_track: permission denied: %s (%d)\n", + pbse_to_txt(rc), + rc); + default: /* Unexpected error occurred */ diff --git a/src/include/tm.h b/src/include/tm.h index 106d3fb..2288828 100644 --- a/src/include/tm.h +++ b/src/include/tm.h @@ -125,7 +125,7 @@ int tm_register(tm_whattodo_t *what, /* * DJH 15 Nov 2001. * Generic "out-of-band" task adoption call for tasks parented by - * another job management system. Minor security hole? + * another job management system. * Cannot be called with any other tm call. * 26 Feb 2002. Allows id to be jobid (adoptCmd = TM_ADOPT_JOBID) * or some altid (adoptCmd = TM_ADOPT_ALTID) diff --git a/src/include/tm_.h b/src/include/tm_.h index c9393b9..8cae7b0 100644 --- a/src/include/tm_.h +++ b/src/include/tm_.h @@ -136,6 +136,7 @@ typedef unsigned int tm_task_id; #define TM_EBADENVIRONMENT 17005 #define TM_ENOTFOUND 17006 #define TM_BADINIT 17007 +#define TM_EPERM 17008 #define TM_TODO_NOP 5000 /* Do nothing (the nodes value may be new) */ #define TM_TODO_CKPT 5001 /* Checkpoint and continue it */ diff --git a/src/lib/Libifl/iff --git a/src/lib/Libifl/tm.c b/src/lib/Libifl/tm.c index edb6273..4f38529 100644 --- a/src/lib/Libifl/tm.c +++ b/src/lib/Libifl/tm.c @@ -94,6 +94,7 @@ #include #include #include +#include #include #include #include @@ -169,6 +170,31 @@ typedef struct event_info static event_info *event_hash[EVENT_HASH]; /* + * check if the owner of this process matches the owner of pid + * returns TRUE if so, FALSE otherwise + */ +bool ispidowner(pid_t pid) + { + char path[MAXPATHLEN]; + struct stat sbuf; + + /* build path to pid */ + snprintf(path, sizeof(path), "/proc/%d", pid); + + /* do the stat */ + /* if it fails, assume not owner */ + if (stat(path, &sbuf) != 0) + return(FALSE); + + /* see if caller is the owner of pid */ + if (getuid() != sbuf.st_uid) + return(FALSE); + + /* caller is owner */ + return(TRUE); + } + +/* ** Find an event number or return a NULL. */ event_info *find_event( @@ -1800,8 +1826,8 @@ tm_poll_error: * some mpiruns simply use rsh to start remote processes - no AMS * tracking or management facilities are available. * - * This function allows any task (session) to be adopted into a PBS - * job. It is used by: + * This function allows any task (session) owned by the owner + * of the job to be adopted into a PBS job. It is used by: * - "adopter" (which is in turn used by our pvmrun) * - our rmsloader wrapper (a home-brew replacement for RMS' * rmsloader that does some work and then exec()s the real @@ -1835,7 +1861,8 @@ tm_poll_error: * the mom. Returns TM_ENOTFOUND if the mom couldn't find a job * with the given RMS resource id. Returns TM_ESYSTEM or * TM_ENOTCONNECTED if there was some sort of comms error talking - * to the mom + * to the mom. Returns TM_EPERM if an attempt was made to adopt + * a session not owned by the owner of the job. * * Side effects: * Sets the tm_* globals to fake values if tm_init() has never @@ -1860,6 +1887,10 @@ int tm_adopt( sid = getsid(pid); + /* do not adopt a sid not owned by caller */ + if (!ispidowner(sid)) + return(TM_EPERM); + /* Must be the only call to call to tm and must only be called once */ -- 1.8.3.2