Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

File Permissions Problems

Summary

File and directory permissions allow trusted users to gain root access.

Relevant Versions

This advisory affects the following VDT versions:

Date Announced

2006-03-13

Description

Some files in the VDT have inappropriate world- or group-writable permissions. Some directories also containing critical files have world- or group-writable permissions. In either case, it may be possible for an authenticated and authorized grid user to submit a Globus job that will modify or replace executables within the VDT that run as the root user, thereby granting them root access.

People who install a fresh copy of VDT 1.3.9b and later will not experience this problem. Versions prior to VDT 1.3.9 may have this problem, but they have not been patched. We strongly recommend installing VDT 1.3.9b or later. Note that installing "VDT 1.3.9" will install "VDT 1.3.9b", as of March 3rd, 2006, at about 3:30pm.

If you installed VDT 1.3.9 on March 3rd, 2006, or earlier, you will not have VDT 1.3.9b installed, and you should apply the fix below. That will be sufficient to fix your installation. You can tell if you have VDT 1.3.9b installed by using the vdt-version command:

> vdt-version 
You have installed a subset of VDT version 1.3.9b:
  [List of software here] 
If it says VDT version 1.3.9 or VDT version 1.3.9a, you do not have the updated version, and you should apply the fix below.

Note that if you did not install the VDT as root, this is still a problem, but it will not lead to root access, but only access to the user that installed the VDT.

Solution

If you have VDT 1.3.9 or earlier, execute the following commands from your $VDT_LOCATION directory while logged in as root or as the user you installed the VDT as.
# Fix executable files with overly permissive rights to 0755
find . -type f -perm +0111 -perm +0022 | xargs chmod 0755

# Fix directories with overly permissive rights to 0755
# Do not change directories with 1777 rights, because they need to be that way
find . -type d -perm +0022 -not -perm 1777 | xargs chmod 0755

# Fix certain non-executable files with overly permissive rights to not be writable to all
for suffix in jar py csh sh pl pm conf properties; do find . -name "*.$suffix" | xargs chmod go-w; done

Questions

Please contact vdt-support@opensciencegrid.org if you have any questions.