Difference between revisions of "Need to Know's"
| (7 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
| The gLExec executable is installable in two ways, '''with and without''' the '''setuid''' (file system) bit on root. With the setuid-bit enabled on root, this effectively means that gLExec is being executed with root privileges. Without the setuid or setgid bits on root the gLExec executable is like any other regular executable. | The gLExec executable is installable in two ways, '''with and without''' the '''setuid''' (file system) bit on root. With the setuid-bit enabled on root, this effectively means that gLExec is being executed with root privileges. Without the setuid or setgid bits on root the gLExec executable is like any other regular executable. | ||
| − | The safety features of gLExec are implemented with great care to avoid misuse  | + | The safety features of gLExec are implemented with great care to avoid misuse. Note that a user running glexec does '''''NOT''''' gain root access at any time. root permissions are '''''ONLY''''' used to perform the actual userswitch from the original to the final Unix account. All intermediate actions, including all I/O, are explicitly done with the privileges of an ordinary user. | 
| == Safety features == | == Safety features == | ||
| Line 11: | Line 11: | ||
| * The LD_LIBRARY_PATH, LD_RUN_PATH and other LD_* environment variables are removed from the process environment by the Operating System before the first line of gLExec code is executed by a Unix and Linux system. Only the /etc/ld.so.conf{.d/}, RPATH settings and other system specific paths are used and resolved. This statement holds for '''any''' setuid or setgid executable. | * The LD_LIBRARY_PATH, LD_RUN_PATH and other LD_* environment variables are removed from the process environment by the Operating System before the first line of gLExec code is executed by a Unix and Linux system. Only the /etc/ld.so.conf{.d/}, RPATH settings and other system specific paths are used and resolved. This statement holds for '''any''' setuid or setgid executable. | ||
| − | * The rest of the environment is stripped off by gLExec | + | * The rest of the environment is stripped off by gLExec, since there are a couple of environment settings that could easily lead to a root exploit in the standard library of a Unix and Linux system. Therefore, by default only the GLEXEC_* environment variables are kept. There is an option in the glexec.conf file to preserve more variables, but these must be selected with great care and setup by each System Administrator on all their machines. These can not be influenced by the user. Starting from gLExec 0.7, all variables starting with MALLOC_ cannot be whitelisted. | 
| − | * If the target user is authorized and when a mapping and Unix process identity switch the HOME and X509_USER_PROXY will be rewritten. Their value will contain the paths that are relevant for the target user account. | + | * If the target user is authorized and when a mapping and Unix process identity switch the HOME and X509_USER_PROXY will be rewritten. Their value will contain the paths that are relevant for the target user account. Note that there are some bugs related to this in versions before 0.7 which mean these variables are sometimes set to incorrect values. These are ''not'' classified as vulnerabilities, but could lead to failure. From version 0.7 onwards, this has been resolved. | 
| − | * The target user process has the Unix identity as mapped by LCMAPS | + | * The target user process has the Unix identity as mapped by LCMAPS and configured by the local system administrator. | 
| − | ==  | + | == How to work with the gLExec secured environment == | 
| − | To cope with the environment clean-up we've developed gLExec wrapper scripts which are capable of  | + | To cope with the environment clean-up we've developed gLExec wrapper scripts which are capable of teleporting your environment variables<!-- and are 100% CO2 neutral -->. These are designed to take care of your environment variables and cooperate with gLExec in the best possible way. This makes it virtually transparent to the Pilot Job framework or other middleware that wishes to propagate environment settings through gLExec. | 
| − | More information about  | + | More information about these wrapper scripts can be found on the [[GLExec Environment Wrap and Unwrap scripts|gLExec Environment Wrap and Unwrap scripts]] page. | 
| == More information == | == More information == | ||
| More information can be found on the [[FAQs and misconceptions about gLExec]] page. | More information can be found on the [[FAQs and misconceptions about gLExec]] page. | ||
Latest revision as of 10:18, 16 April 2010
The difference between setuid and non-setuid (logging-only) mode
The gLExec executable is installable in two ways, with and without the setuid (file system) bit on root. With the setuid-bit enabled on root, this effectively means that gLExec is being executed with root privileges. Without the setuid or setgid bits on root the gLExec executable is like any other regular executable.
The safety features of gLExec are implemented with great care to avoid misuse. Note that a user running glexec does NOT gain root access at any time. root permissions are ONLY used to perform the actual userswitch from the original to the final Unix account. All intermediate actions, including all I/O, are explicitly done with the privileges of an ordinary user.
Safety features
A couple of safety features that are build in the gLExec tool are:
- The LD_LIBRARY_PATH, LD_RUN_PATH and other LD_* environment variables are removed from the process environment by the Operating System before the first line of gLExec code is executed by a Unix and Linux system. Only the /etc/ld.so.conf{.d/}, RPATH settings and other system specific paths are used and resolved. This statement holds for any setuid or setgid executable.
- The rest of the environment is stripped off by gLExec, since there are a couple of environment settings that could easily lead to a root exploit in the standard library of a Unix and Linux system. Therefore, by default only the GLEXEC_* environment variables are kept. There is an option in the glexec.conf file to preserve more variables, but these must be selected with great care and setup by each System Administrator on all their machines. These can not be influenced by the user. Starting from gLExec 0.7, all variables starting with MALLOC_ cannot be whitelisted.
- If the target user is authorized and when a mapping and Unix process identity switch the HOME and X509_USER_PROXY will be rewritten. Their value will contain the paths that are relevant for the target user account. Note that there are some bugs related to this in versions before 0.7 which mean these variables are sometimes set to incorrect values. These are not classified as vulnerabilities, but could lead to failure. From version 0.7 onwards, this has been resolved.
- The target user process has the Unix identity as mapped by LCMAPS and configured by the local system administrator.
How to work with the gLExec secured environment
To cope with the environment clean-up we've developed gLExec wrapper scripts which are capable of teleporting your environment variables. These are designed to take care of your environment variables and cooperate with gLExec in the best possible way. This makes it virtually transparent to the Pilot Job framework or other middleware that wishes to propagate environment settings through gLExec.
More information about these wrapper scripts can be found on the gLExec Environment Wrap and Unwrap scripts page.
More information
More information can be found on the FAQs and misconceptions about gLExec page.
