HTCondor Project List Archives

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-devel] [prabhaka@xxxxxxxxx: [Xgrid] Sandbox & Task Permission Issues in Leopard]

Date: Fri, 15 Feb 2008 15:03:00 -0600
From: Erik Paulson <epaulson@xxxxxxxxxxx>
Subject: [Condor-devel] [prabhaka@xxxxxxxxx: [Xgrid] Sandbox & Task Permission Issues in Leopard]

Whatever Apple has as public APIs we should consider adding into Condor
as well.

-Erik

----- Forwarded message from Ernest Prabhakar <prabhaka@xxxxxxxxx> -----

Date: Fri, 15 Feb 2008 12:03:41 -0800
To: ?xgrid-users-lists-apple-com? list <xgrid-users@xxxxxxxxxxxxxxx>
From: Ernest Prabhakar <prabhaka@xxxxxxxxx>
Sender: xgrid-users-bounces+epaulson=cs.wisc.edu@xxxxxxxxxxxxxxx
Subject: [Xgrid] Sandbox & Task Permission Issues in Leopard

Hi everyone,

We have had a series of "permission denied" questions lately related  
to Xgrid's new security model in Leopard, so I wanted to provide some  
background.

In Leopard, for better security Xgrid now runs tasks using the new  
"sandbox" facility in Mac OS X 10.5 (more details below).  The simple  
explanation is that on Leopard, tasks running as 'nobody' (ie, any  
task where either the submitting client or the receiving agent are NOT  
using Kerberos authentication) have very restricted access to the  
filesystem.  The details are specified here:

/usr/share/sandbox/xgridagentd_task_nobody.sb
>(allow process* sysctl* mach* network*)
>(allow file-read* (regex "^/(bin|dev|(private/)?(etc|tmp|var)|usr| 
>System|Library)(/|$)"))
>(allow file-read* file-write* (regex "^/(private/)?(tmp|var)(/|$)"))
>
The optimal solution is to instead use Kerberos authentication for  
everything. That way, tasks instead run using:

/usr/share/sandbox/xgridagentd_task_somebody.sb
>(allow process* sysctl* mach* file-read* file-write* network*)

I realize that this may not always be viable, but in that case you are  
pretty much on your own.  In theory it is possible to edit (or  
replace) the task_nobody file so "nobody" processes have similar  
permissions as those in "task_somebody", e.g:

>(allow file-read* file-write* (regex "^/all(/|$)"))

However, note that this makes the system more vulnerable to rogue  
Xgrid jobs, so if you attempt this it is imperative you have other  
controls in place to safeguard your cluster.

In addition, any changes you make to system-provided files like /usr/ 
share/sandbox/xgridagentd* may well break or be replaced by a future  
update. You have been warned!

Hope this helps,

Best,
-- Ernie P.
Xgrid Product Manager
Apple, Inc.

http://www.apple.com/macosx/technology/security.html

>Sandbox tested.
>Sometimes hackers try to hijack an application to run malicious  
>code. Sandboxing helps ensure that applications do only what  
>they???re intended to by restricting which files they can access,  
>whether they can talk to the network, and whether they can be used  
>to launch other applications. Helper applications in Leopard ???  
>including the software that enables Bonjour and the Spotlight  
>indexer ??? are sandboxed to guard against attackers.
>

http://images.apple.com/macosx/pdf/MacOSX_Leopard_Security_TB.pdf

>In the case of the new sandboxing facility in Leopard, mandatory  
>access controls
>restrict access to system resources as determined by a special  
>sandboxing pro??? le
>that is provided for each sandboxed application. This means that  
>even processes
>running as root can have extremely limited access to system resources.

>...Sandboxing helps ensure that applications do only what they???re  
>intended to do by
>placing controls on applications that restrict what ??? les they can  
>access, whether they
>can talk to the network, and whether they can be used to launch  
>other applications.
>In Leopard, many of the system???s helper applications that normally  
>communicate
>with the network???such as mDNSResponder (the software underlying  
>Bonjour) and
>the Kerberos KDC???are sandboxed to guard them from abuse by  
>attackers trying to
>access the system. In addition, other programs that routinely take  
>untrusted input (for
>instance, arbitrary ??? les or network connections) such as Xgrid and  
>the Quick Look and
>Spotlight background daemons are sandboxed.
>
>Sandboxing in Leopard is based on the system???s mandatory access  
>controls mecha-
>nism, which is implemented at the kernel level. Sandboxing pro??? les  
>are developed
>for each application that runs in a sandbox, describing precisely  
>which resources are
>accessible to the application.

ernest$ man -k sandbox
ernest$ man sandbox
>
>     The sandbox facility allows applications to voluntarily  
>restrict their
>     access to operating system resources.  This safety mechanism is  
>intended
>     to limit potential damage in the event that a vulnerability is  
>exploited.
>     It is not a replacement for other operating system access  
>controls.
>
>     New processes inherit the sandbox of their parent.   
>Restrictions are gen-
>     erally enforced upon acquisition of operating system resources  
>only.  For
>     example, if file system writes are restricted, an application  
>will not be
>     able to open(2) a file for writing.  However, if the  
>application already
>     has a file descriptor opened for writing, it may use that file  
>descriptor
>     regardless of restrictions.

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xgrid-users mailing list      (Xgrid-users@xxxxxxxxxxxxxxx)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/xgrid-users/epaulson%40cs.wisc.edu

This email sent to epaulson@xxxxxxxxxxx

----- End forwarded message -----

Prev by Date: Re: [Condor-devel] configure.ac --with-gcc-version-check flag
Next by Date: Re: [Condor-devel] LSB-ish init script for Condor
Previous by thread: Re: [Condor-devel] configure.ac --with-gcc-version-check flag
Next by thread: [Condor-devel] --with should be --enable, in configure.ac
Index(es):
- Date
- Thread