Paul Hopkins
2014-10-16 14:11:50 UTC
Hi all,
We currently use Globus tools within our organisation to allow our users to
access a number of compute clusters. To manage the grid mapfiles across all
of the cluster sites we have developed software that periodically downloads
information from a central LDAP and updates the mapfile at each site. In
order for users to manage their own grid subjects there is a webpage which
allows the user to enter their grid subjects and these are then stored
unsanitised in the LDAP. We have now realised that by adding extra
double-quotes characters it is possible for users to enter malicious
subjects entries which would allow them to login to other peoples accounts.
For example if I enter a subject
/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins ***@ligo.org"
albert.einstein "
Then our tool would enter it into the mapfile as:
"/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins ***@ligo.org"
albert.einstein ""
paul.hopkins
which allows me to login as albert.einstein.
I realise that the problem is entirely our own creation and we have now
made steps to prevent unescaped double quotes from being allowed through.
However, during my research I found that the Globus tool
grid-mapfile-add-entry also allows one to insert potentially dangerous
subject entries. For example:
# SUBJECT='/DC=org/DC=example/DC=grid/CN=Joe User" root "'
# grid-mapfile-add-entry -dn "${SUBJECT}" -ln joe.user
Modifying /etc/grid-security/grid-mapfile ...
New entry:
"/DC=org/DC=example/DC=grid/CN=Joe User" root "" joe.user
Furthermore, grid-mapfile-check-consistency does not pick up on the problem
either. However, it does complain if you separate the user list with a
comma and a space:
Checking /etc/grid-security/grid-mapfile grid mapfile
Verifying grid mapfile existence...OK
Checking for duplicate entries...
ERROR: Missing double quotes in the following entry:
"/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins ***@ligo.org"
paul.hopkins, joe.user
OK
Checking for valid user names...OK
I wonder if it is sufficient to just check for unescaped double quotes? It
may be possible to use new-lines but our workflow does not allow this. Is
there any other things we should be looking for? Should the Globus tools
pick up on these problems?
Thanks in advance,
Paul
We currently use Globus tools within our organisation to allow our users to
access a number of compute clusters. To manage the grid mapfiles across all
of the cluster sites we have developed software that periodically downloads
information from a central LDAP and updates the mapfile at each site. In
order for users to manage their own grid subjects there is a webpage which
allows the user to enter their grid subjects and these are then stored
unsanitised in the LDAP. We have now realised that by adding extra
double-quotes characters it is possible for users to enter malicious
subjects entries which would allow them to login to other peoples accounts.
For example if I enter a subject
/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins ***@ligo.org"
albert.einstein "
Then our tool would enter it into the mapfile as:
"/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins ***@ligo.org"
albert.einstein ""
paul.hopkins
which allows me to login as albert.einstein.
I realise that the problem is entirely our own creation and we have now
made steps to prevent unescaped double quotes from being allowed through.
However, during my research I found that the Globus tool
grid-mapfile-add-entry also allows one to insert potentially dangerous
subject entries. For example:
# SUBJECT='/DC=org/DC=example/DC=grid/CN=Joe User" root "'
# grid-mapfile-add-entry -dn "${SUBJECT}" -ln joe.user
Modifying /etc/grid-security/grid-mapfile ...
New entry:
"/DC=org/DC=example/DC=grid/CN=Joe User" root "" joe.user
Furthermore, grid-mapfile-check-consistency does not pick up on the problem
either. However, it does complain if you separate the user list with a
comma and a space:
Checking /etc/grid-security/grid-mapfile grid mapfile
Verifying grid mapfile existence...OK
Checking for duplicate entries...
ERROR: Missing double quotes in the following entry:
"/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins ***@ligo.org"
paul.hopkins, joe.user
OK
Checking for valid user names...OK
I wonder if it is sufficient to just check for unescaped double quotes? It
may be possible to use new-lines but our workflow does not allow this. Is
there any other things we should be looking for? Should the Globus tools
pick up on these problems?
Thanks in advance,
Paul
--
Paul Hopkins
Computational Infrastructure Scientist
Cardiff University
***@astro.cf.ac.uk
Office: +44 (0)2920 876964
Paul Hopkins
Computational Infrastructure Scientist
Cardiff University
***@astro.cf.ac.uk
Office: +44 (0)2920 876964