Bug 654856 - (CVE-2010-4179) CVE-2010-4179 schedd plugin: enable QUEUE_ALL_USERS_TRUSTED for Submit/Hold/Release/Remove ops
CVE-2010-4179 schedd plugin: enable QUEUE_ALL_USERS_TRUSTED for Submit/Hold/R...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 644041
  Show dependency treegraph
Reported: 2010-11-18 16:26 EST by Vincent Danen
Modified: 2015-08-19 04:59 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-07-29 09:20:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-11-18 16:26:39 EST
In MRG 1.3, the provided Management Console Installation Guide instructed administrators to explicitly configure "QUEUE_ALL_TRUSTED_USERS=True" so that the management console (cumin) could facilitate submissions on behalf of a user.  This configuration facilitated a trust relationship between cumin and the condor-qmf plugins. However, there was inadequate access control for securing the trusted channel; anyone able to publish to a broker could submit jobs.  As well, this meant that a user could submit a job to run as any other user other than root (Condor does not run jobs as root).

In a future update, through enhancements to the QMF Agent, access control on the condor-qmf plugins is adequate to secure the trust relationship.
Comment 1 errata-xmlrpc 2010-11-30 12:50:22 EST
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0921 https://rhn.redhat.com/errata/RHSA-2010-0921.html
Comment 2 errata-xmlrpc 2010-11-30 13:01:27 EST
This issue has been addressed in following products:

  Messaging for MRG on RHEL-4
  Messaging Base for MRG on RHEL-4
  Grid for MRG on RHEL-4
  Grid Execute Node for MRG on RHEL-4

Via RHSA-2010:0922 https://rhn.redhat.com/errata/RHSA-2010-0922.html

Note You need to log in before you can comment on or make changes to this bug.