Date: Thu, 2 Oct 2014 15:26:21 -0600 From: Chad Vizino <cvizino@...ptivecomputing.com> To: oss-security@...ts.openwall.com Subject: tm_adopt() vulnerability in TORQUE Resource Manager Within a TORQUE Resource Manager job, the tm_adopt() TORQUE library call enables a user-built executable calling tm_adopt() to adopt any session id (and its child processes) regardless of the session id owner on any node within a job. When a job that includes the executable calling tm_adopt() exits, the adopted processes are killed along with the job processes during normal job cleanup. This can enable a non-root user to kill processes he/she doesn't own including root-owned ones on any node in a job. The issue has been fixed in the following commit numbers for the listed TORQUE Resource Manager versions: 4.2-dev 967cdc80150690459a47a35a658abeee0ca6e5cb f2f4c950f3d461a249111c8826da3beaafccace9 4.5-dev 6c4a57b2d7a56b5bda1c57e2af425ff517ffe331 5.0-dev e2b6253b62fe7e59c5852e2b914b71a095328558 develop dd7f729eedead89c9253707f85572706077ff1d3 -- Chad Vizino Adaptive Computing
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.