IBM Spectrum LSF 10.1 Fix 501633 Readme File
Abstract
P102716. The fix enhances LSF security of authorizing user credentials to prevent attacking by preloading getuid function. It addresses CVE-2018-1724.
Description
LSF uses an external authentication framework to secure user credentials for the data stream between LSF clients and servers. Addressed by CVE-2018-1724, there is an attacking method that, when submitting a job, users can preload the getuid and change the job user.
This defect was present and undetected for over ten years, even during previous third party security reviews. However, there are no reported instances of anyone having exploited this defect to change job user.
This fix addresses CVE-2018-1724 by enhancing the eauth executable file to prevent the preloading of getuid to avoid the users changing their job user at job submission time. To prevent preloading in eauth entirely, this fix provides two new options for the hostsetup script.
A summary of the steps apply this fix is as follows (for detailed steps, follow section 5, Installation and configuration):
1. Back up the original eauth file.
2. Copy the eauth.cve file to eauth in the LSF_SERVERDIR directory, making sure that the privileges are the same as before.
3. On each host, run hostsetup --ext-serverdir="ext_serverdir" --eauth-key=”your-eauth-key” with root privileges.
The new options that this fix introduces for the hostsetup script are: --ext-serverdir and --eauth-key.
--ext-serverdir: Specify the location of the eauth executable file.
<dir> must be accessible to the local host where hostsetup is running.
--eauth-key: Specify the key string. Running this command option
writes the following line to the /etc/lsf.sudoers file:
LSF_EAUTH_KEY="key"
The hostsetup --ext-serverdir command option performs the following actions:
1. Create a soft link from the cluster’s lsf.conf to /etc/lsf.conf,
2. Write values for the LSF_EXT_SERVERDIR, LSF_SERVERDIR, and LSF_ENV_OVERRIDE=N parameters to the /etc/lsf.conf file.
3. Copy eauth and esub* to the LSF_EXT_SERVERDIR directory, give it root privileges, and set the S bit to eauth.
LSF_ENV_OVERRIDE=N means that LSF will only use parameters values in /etc/lsf.conf, also LSF_SERVERDIR, LSF_BINDIR, LSF_LIBDIR must be defined.
If the LSF_EXT_SERVERDIR parameter is configured, LSF uses the eauth under this directory. Do not remove the eauth file in the LSF_SERVERDIR directory for compatibility reasons.
Because this issue does not impact Windows, eauth.cve.exe is the only file for Windows platforms. For Windows hosts, after patching this fix, shut down the LSF cluster, then rename eauth.exe to eauth.bk.exe, and eauth.cve.exe to eauth.exe, then start up the LSF cluster.
Sites that use LSF Kerberos authentication are not affected by this issue, but installing this fix addresses potential vulnerabilities if LSF Kerberos authentication is unavailable.
NOTES:
Readme file for: IBM® Spectrum LSF
Product/Component Release: 10.1
Update Name: Fix 501633
Fix ID: LSF-10.1-build501633
Publication date: 10 September 2018
Last modified date: 27 September 2018
Contents:
1. List of fixes
2. Download location
3. Products or components affected
4. System requirements
5. Installation and configuration for non-Windows
6. Installation and configuration for Windows
7. List of files
8. Product notifications
9. Copyright and trademark information
1. List of fixes
P102716
2. Download Location
Download Fix 501633 from the following location: http://www.ibm.com/eserver/support/fixes/
3. Products or components affected
Affected components for non-Windows include: LSF/eauth.cve, LSF/hostsetup, LSF/lim, LSF/pim, LSF/mbatchd, LSF/mbschd, LSF/sbatchd, LSF/res, LSF/bsub, LSF/bmod, LSF/badmin, LSF/lsadmin, LSF/bmgroup, LSF/bstatus LSF/bmig, LSF/bstop, LSF/bapp, LSF/lseligible, LSF/lsreconfig, LSF/lsreghost, LSF/lsfrestart,LSF/lsrtasks, LSF/bswitch, LSF/lsfshutdown, LSF/lsrun, LSF/bparams, LSF/btop, LSF/bbot, LSF/bpeek, LSF/bugroup, LSF/bchkpnt, LSF/bpost, LSF/busers, LSF/bclusters, LSF/lsfstartup, LSF/bconf, LSF/bqueues, LSF/bread, LSF/lsgrun, LSF/bgadd, LSF/lshosts, LSF/bgbroker, LSF/breconfig, LSF/egoconfig, LSF/lsid, LSF/bgdel, LSF/brequeue, LSF/egoenv, LSF/lsinfo, LSF/bgmod, LSF/bresize, LSF/egoexec, LSF/lsload, LSF/bgpinfo, LSF/bresources, LSF/lsloadadj, LSF/bhist, LSF/brestart, LSF/egosh, LSF/lslockhost, LSF/bhosts, LSF/bresume, LSF/lslogin, LSF/bhpart, LSF/brlainfo, LSF/bjdepinfo, LSF/brsvadd, LSF/bjgroup, LSF/brsvdel, LSF/bjobs, LSF/brsvmod, LSF/bkill, LSF/brsvs, LSF/lsacct, LSF/lsmon, LSF/blaunch, LSF/blimits, LSF/bsla, LSF/lsadmin, LSF/bmg, LSF/bslots, LSF/lsclusters, LSF/lsrcp, LSF/nios, LSF/melim, LSF/egosh, LSF/egosc LSF/schmod_demand.so LSF/schmod_bluegene.so LSF/schmod_cpuset.so LSF/schmod_dist.so LSF/schmod_jobweight.so LSF/schmod_mc.so LSF/schmod_pset.so LSF/schmod_rms.so LSF/schmod_xl.so
libbat.a libbat.so(libbat.dylib for Mac OS, libbat.sl for HP OS) liblsf.a liblsf.so(liblsf.dylib for Mac OS, liblsf.sl for HP OS) lsbatch.h lsf.h
Affected components for Windows include:
LSF/eauth.cve.exe
4. System requirements
aix-64
hpuxia64
linux2.6-glibc2.3-x86_64
linux3.12-glibc2.17-armv8
linux3.10-glibc2.17-ppc64le
linux3.10-glibc2.17-x86_64
macosx
sparc-sol10-64
x86-64-sol10 win-x64 |
5. Installation and configuration for non-Windows
5.1 Before installation
(LSF_TOP=Full path to the top-level installation directory of LSF.)
1) Log on to the LSF master host as root
2) Set your environment:
- For csh or tcsh: % source LSF_TOP/conf/cshrc.lsf
- For sh, ksh, or bash: $ . LSF_TOP/conf/profile.lsf
5.2 Installation steps
Follow the complete installation procedure on every host to use LSF with non-shared file
systems.
1) Go to the patch install directory: cd $LSF_ENVDIR/../10.1/install/
2) Copy the patch file to the install directory $LSF_ENVDIR/../10.1/install/
3) Run patchinstall: ./patchinstall <patch>
5.3 After installation
1) Run badmin hshutdown all
2) Run lsadmin resshutdown all
3) Run lsadmin limshutdown all
4) Back up the eauth on all installed hosts as eauth.bak
5) Copy the eauth.cve to replace the eauth on all LSF hosts
6) Run chmod u+s $LSF_SERVERDIR/eauth to configure eauth as setuid to root
7) If cluster is a heterogenous cluster with shared installation, set LSF_LINK_PATH in $LSF_ENVDIR/lsf.conf to a local machine path
8) Run hostsetup --ext-serverdir --eauth-key to specify the security eauth path with root privileges.
9) Change LSF_SERVERDIR=$LSF_LINK_PATH/etc in $LSF_ENVDIR/lsf.conf
10) Run lsadmin limstartup all
11) Run lsadmin resstartup all
12) Run badmin hstartup all
5.4 Uninstallation
1) Run badmin hshutdown all
2) Run lsadmin resshutdown all
3) Run lsadmin limshutdown all
4) Go to the patch install directory: cd $LSF_ENVDIR/../10.1/install/, run ./patchinstall -r <patch>
5) Replace eauth with the backup eauth.bak on all LSF hosts
6) Run chmod u+s $LSF_SERVERDIR/eauth to configure eauth as setuid to root
7) Remove /etc/lsf.conf on each host, and comment out LSF_EXT_SERVERDIR LSF_ENV_OVERRIDE LSF_SERVERDIR in $LSF_ENVDIR/lsf.conf
8) Remove eauth key from the /etc/lsf.sudoers
9) Run lsadmin limstartup all
10) Run lsadmin resstartup all
11) Run badmin hstartup all
6. Installation and configuration for Windows
6.1 Before installation
None
6.2 Installation steps
1) Log on to the LSF master host as LSF cluster administrator
2) Run badmin hshutdown all
3) Run lsadmin resshutdown all
4) Run lsadmin limshutdown all
5) Log on to the Windows host as administrator, install the Windows patch
6.3 After installation
1) Log on to the Windows host as administrator
2) Backup the eauth.exe on the Windows host as eauth.bak.exe
3) Copy the eauth.cve.exe to replace the eauth.exe on the Windows host
4) Log on to the LSF master host as LSF cluster administrator
5) Run lsadmin limstartup all
6) Run lsadmin resstartup all
7) Run badmin hstartup all
6.4 Uninstallation
1) Log on to the LSF master host as LSF cluster administrator.
2) Run badmin hshutdown all
3) Run lsadmin resshutdown all
4) Run lsadmin limshutdown all
5) Log on to the Windows host as administrator, remove the patch installation from the Windows control panel on the Windows host
6) Replace eauth.exe with the backup eauth.bak.exe on the Windows host
7) Log on to the LSF master host as LSF cluster administrator.
8) Run lsadmin limstartup all
9) Run lsadmin resstartup all
10) Run badmin hstartup all
7. List of files
Non-windows:
badmin eauth.cve lsadmin mbatchd res sbatchd bsub bmod hostsetup lim mbschd pim
bmgroup bstatus bmig bstop bapp lseligible lsreconfig lsreghost lsfrestart lsrtasks bswitch lsfshutdown lsrun bparams btop bbot bpeek bugroup bchkpnt bpost busers bclusters lsfstartup bconf bqueues bread lsgrun bgadd lshosts bgbroker breconfig egoconfig lsid bgdel brequeue egoenv lsinfo bgmod bresize egoexec lsload bgpinfo bresources lsloadadj bhist brestart egosh lslockhost bhosts bresume lslogin bhpart brlainfo bjdepinfo brsvadd bjgroup brsvdel bjobs brsvmod bkill brsvs lsacct lsmon blaunch blimits bsla lsadmin bmg bslots lsclusters lsrcp
nios melim ego_client egosc schmod_demand.so schmod_bluegene.so schmod_cpuset.so schmod_dist.so schmod_jobweight.so schmod_mc.so schmod_pset.so schmod_rms.so schmod_xl.so
libbat.a libbat.so(libbat.dylib for Mac OS, libbat.sl for HP OS) liblsf.a liblsf.so(liblsf.dylib for Mac OS, liblsf.sl for HP OS) liblsbstream.so liblsbstream.a lsbatch.h lsf.h
Windows:
eauth.cve.exe
8. Product notifications
To receive information about product solution and patch updates automatically, subscribe to product notifications on the My notifications page (www.ibm.com/support/mynotifications) on the IBM Support website (support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.
9. Copyright and trademark information
© Copyright IBM Corporation 2018
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.