IBM Spectrum LSF 10.1 Fix 501633 Readme File

 

Abstract 

 

P102716. The fix enhances LSF security of authorizing user credentials to prevent attacking by preloading getuid function. It addresses CVE-2018-1724.

 

Description


LSF uses an external authentication framework to secure user credentials for the data stream between LSF clients and servers. Addressed by CVE-2018-1724, there is an attacking method that, when submitting a job, users can preload the getuid and change the job user.

This defect was present and undetected for over ten years, even during previous third party security reviews. However, there are no reported instances of anyone having exploited this defect to change job user.

This fix addresses CVE-2018-1724 by enhancing the eauth executable file to prevent the preloading of  getuid to avoid the users changing their job user at job submission time. To prevent preloading in eauth entirely, this fix provides two new options for the hostsetup script. 


A summary of the steps apply this fix is as follows (for detailed steps, follow section 5, Installation and configuration):

1.    Back up the original eauth file.

2.    Copy the eauth.cve file to eauth in the LSF_SERVERDIR directory, making sure that the privileges are the same as before.

3.    On each host, run hostsetup --ext-serverdir="ext_serverdir" --eauth-key=”your-eauth-key” with root privileges.


The new options that this fix introduces for the hostsetup script are: --ext-serverdir and --eauth-key.

--ext-serverdir: Specify the location of the eauth executable file.

      <dir> must be accessible to the local host where hostsetup is running.

--eauth-key:     Specify the key string. Running this command option

      writes the following line to the /etc/lsf.sudoers file:

      LSF_EAUTH_KEY="key"

The hostsetup --ext-serverdir command option performs the following actions:

1.    Create a soft link from the cluster’s lsf.conf to /etc/lsf.conf,

2.    Write values for the LSF_EXT_SERVERDIR, LSF_SERVERDIR, and LSF_ENV_OVERRIDE=N parameters to the /etc/lsf.conf file.

3.    Copy eauth and esub* to the LSF_EXT_SERVERDIR directory, give it root privileges, and set the S bit to eauth.

LSF_ENV_OVERRIDE=N means that LSF will only use parameters values in /etc/lsf.conf, also LSF_SERVERDIR, LSF_BINDIR, LSF_LIBDIR must be defined.

If the LSF_EXT_SERVERDIR parameter is configured, LSF uses the eauth under this directory. Do not remove the eauth file in the LSF_SERVERDIR directory for compatibility reasons.


Because this issue does not impact Windows, eauth.cve.exe is the only file for Windows platforms. For Windows hosts, after patching this fix, shut down the LSF cluster, then rename eauth.exe to eauth.bk.exe, and eauth.cve.exe to eauth.exe, then start up the LSF cluster.

Sites that use LSF Kerberos authentication are not affected by this issue, but installing this fix addresses potential vulnerabilities if LSF Kerberos authentication is unavailable.   


NOTES:


Readme file for: IBM® Spectrum LSF

Product/Component Release: 10.1 

Update Name: Fix 501633

Fix ID: LSF-10.1-build501633

Publication date: 10 September 2018 

Last modified date:  27 September 2018 

Contents:

 

1.     List of fixes 

2.     Download location 

3.     Products or components affected

4.     System requirements 

5.     Installation and configuration for non-Windows

6.   Installation and configuration for Windows

7.     List of files

8.     Product notifications

 

9.     Copyright and trademark information

 

1.   List of fixes

 

P102716

 

2.   Download Location

 

Download Fix 501633 from the following location: http://www.ibm.com/eserver/support/fixes/

 

3.   Products or components affected

 

Affected components for non-Windows include: LSF/eauth.cve, LSF/hostsetup, LSF/lim, LSF/pim, LSF/mbatchd, LSF/mbschd, LSF/sbatchd, LSF/res, LSF/bsub, LSF/bmod, LSF/badmin, LSF/lsadmin, LSF/bmgroup,  LSF/bstatus LSF/bmig, LSF/bstop,  LSF/bapp, LSF/lseligible, LSF/lsreconfig, LSF/lsreghost, LSF/lsfrestart,LSF/lsrtasks, LSF/bswitch, LSF/lsfshutdown, LSF/lsrun, LSF/bparams, LSF/btop, LSF/bbot, LSF/bpeek, LSF/bugroup, LSF/bchkpnt, LSF/bpost, LSF/busers, LSF/bclusters, LSF/lsfstartup, LSF/bconf, LSF/bqueues, LSF/bread, LSF/lsgrun, LSF/bgadd, LSF/lshosts, LSF/bgbroker, LSF/breconfig, LSF/egoconfig, LSF/lsid, LSF/bgdel, LSF/brequeue, LSF/egoenv, LSF/lsinfo, LSF/bgmod, LSF/bresize, LSF/egoexec, LSF/lsload, LSF/bgpinfo, LSF/bresources, LSF/lsloadadj, LSF/bhist, LSF/brestart, LSF/egosh, LSF/lslockhost, LSF/bhosts, LSF/bresume, LSF/lslogin, LSF/bhpart, LSF/brlainfo, LSF/bjdepinfo, LSF/brsvadd, LSF/bjgroup, LSF/brsvdel, LSF/bjobs, LSF/brsvmod, LSF/bkill, LSF/brsvs, LSF/lsacct, LSF/lsmon, LSF/blaunch, LSF/blimits, LSF/bsla, LSF/lsadmin, LSF/bmg, LSF/bslots, LSF/lsclusters, LSF/lsrcp, LSF/nios, LSF/melim, LSF/egosh, LSF/egosc LSF/schmod_demand.so LSF/schmod_bluegene.so  LSF/schmod_cpuset.so  LSF/schmod_dist.so  LSF/schmod_jobweight.so  LSF/schmod_mc.so  LSF/schmod_pset.so  LSF/schmod_rms.so  LSF/schmod_xl.so
libbat.a  libbat.so(libbat.dylib for Mac OS, libbat.sl for HP OS)  liblsf.a  liblsf.so(liblsf.dylib for Mac OS, liblsf.sl for HP OS) lsbatch.h  lsf.h

 

Affected components for Windows include:

LSF/eauth.cve.exe

 

4.   System requirements

 

aix-64

hpuxia64

linux2.6-glibc2.3-x86_64

linux3.12-glibc2.17-armv8

linux3.10-glibc2.17-ppc64le

linux3.10-glibc2.17-x86_64

macosx

sparc-sol10-64

x86-64-sol10

win-x64

 

5.   Installation and configuration for non-Windows

 

5.1          Before installation

            

 (LSF_TOP=Full path to the top-level installation directory of LSF.)

1)    Log on to the LSF master host as root

2)    Set your environment:

-      For csh or tcsh: % source LSF_TOP/conf/cshrc.lsf

-      For sh, ksh, or bash: $ . LSF_TOP/conf/profile.lsf

 

5.2          Installation steps

 

 Follow the complete installation procedure on every host to use LSF with non-shared file

 systems.

 

1)    Go to the patch install directory: cd $LSF_ENVDIR/../10.1/install/

2)    Copy the patch file to the install directory $LSF_ENVDIR/../10.1/install/

3)    Run patchinstall: ./patchinstall <patch>

  

5.3          After installation

 

1)    Run badmin hshutdown all

2)    Run lsadmin resshutdown all

3)    Run lsadmin limshutdown all

4)    Back up the eauth on all installed hosts as eauth.bak

5)    Copy the eauth.cve to replace the eauth on all LSF hosts

6)    Run chmod u+s $LSF_SERVERDIR/eauth to configure eauth as setuid to root

7)    If cluster is a heterogenous cluster with shared installation, set LSF_LINK_PATH in $LSF_ENVDIR/lsf.conf to a local machine path 

8)    Run hostsetup --ext-serverdir --eauth-key to specify the security eauth path with root privileges.

9)    Change LSF_SERVERDIR=$LSF_LINK_PATH/etc in $LSF_ENVDIR/lsf.conf

10)  Run lsadmin limstartup all

11)  Run lsadmin resstartup all

12)  Run badmin hstartup all


5.4          Uninstallation

 

1)    Run badmin hshutdown all

2)    Run lsadmin resshutdown all

3)    Run lsadmin limshutdown all

4)    Go to the patch install directory: cd $LSF_ENVDIR/../10.1/install/, run ./patchinstall -r <patch>

5)    Replace eauth with the backup eauth.bak on all LSF hosts

6)    Run chmod u+s $LSF_SERVERDIR/eauth to configure eauth as setuid to root

7)    Remove /etc/lsf.conf on each host, and comment out LSF_EXT_SERVERDIR LSF_ENV_OVERRIDE LSF_SERVERDIR in $LSF_ENVDIR/lsf.conf

8)    Remove eauth key from the /etc/lsf.sudoers

9)    Run lsadmin limstartup all

10)  Run lsadmin resstartup all

11)  Run badmin hstartup all

 

6.   Installation and configuration for Windows

 

6.1          Before installation

 

None

 

6.2          Installation steps

 

1)    Log on to the LSF master host as LSF cluster administrator

2)    Run badmin hshutdown all

3)    Run lsadmin resshutdown all

4)    Run lsadmin limshutdown all

5)    Log on to the Windows host as administrator, install the Windows patch

 

6.3          After installation

 

1)    Log on to the Windows host as administrator 

2)    Backup the eauth.exe on the Windows host as eauth.bak.exe

3)    Copy the eauth.cve.exe to replace the eauth.exe on the Windows host

4)    Log on to the LSF master host as LSF cluster administrator

5)    Run lsadmin limstartup all

6)    Run lsadmin resstartup all

7)    Run badmin hstartup all

 

6.4          Uninstallation

  

1)    Log on to the LSF master host as LSF cluster administrator.

2)    Run badmin hshutdown all

3)    Run lsadmin resshutdown all

4)    Run lsadmin limshutdown all 

5)    Log on to the Windows host as administrator, remove the patch installation from the Windows control panel on the Windows host

6)    Replace eauth.exe with the backup eauth.bak.exe on the Windows host

7)    Log on to the LSF master host as LSF cluster administrator.

8)    Run lsadmin limstartup all

9)    Run lsadmin resstartup all

10)  Run badmin hstartup all

 

 

7.   List of files 

 

    Non-windows:

badmin  eauth.cve  lsadmin  mbatchd  res  sbatchd bsub bmod hostsetup lim mbschd pim
bmgroup  bstatus bmig    bstop  bapp  lseligible  lsreconfig lsreghost  lsfrestart  lsrtasks   bswitch  lsfshutdown  lsrun  bparams  btop  bbot  bpeek   bugroup  bchkpnt  bpost  busers  bclusters   lsfstartup  bconf bqueues  bread  lsgrun  bgadd  lshosts  bgbroker  breconfig  egoconfig  lsid  bgdel  brequeue  egoenv lsinfo  bgmod  bresize egoexec  lsload  bgpinfo  bresources  lsloadadj  bhist  brestart  egosh  lslockhost  bhosts  bresume  lslogin  bhpart  brlainfo  bjdepinfo  brsvadd  bjgroup  brsvdel  bjobs  brsvmod  bkill  brsvs   lsacct  lsmon blaunch  blimits  bsla  lsadmin  bmg  bslots lsclusters  lsrcp
nios melim  ego_client egosc  
schmod_demand.so schmod_bluegene.so  schmod_cpuset.so  schmod_dist.so  schmod_jobweight.so  schmod_mc.so  schmod_pset.so  schmod_rms.so  schmod_xl.so
libbat.a  libbat.so(libbat.dylib for Mac OS, libbat.sl for HP OS)  liblsf.a  liblsf.so(liblsf.dylib for Mac OS, liblsf.sl for HP OS)  liblsbstream.so liblsbstream.a  lsbatch.h  lsf.h 

 

Windows:

eauth.cve.exe

 

8.   Product notifications

To receive information about product solution and patch updates automatically, subscribe to product notifications on the My notifications page (www.ibm.com/support/mynotifications) on the IBM Support website (support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.

 

9.   Copyright and trademark information

© Copyright IBM Corporation 2018 

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.