Some files in the VDT have inappropriate world- or group-writable permissions. Some directories also containing critical files have world- or group-writable permissions. In either case, it may be possible for an authenticated and authorized grid user to submit a Globus job that will modify or replace executables within the VDT that run as the root user, thereby granting them root access.
People who install a fresh copy of VDT 1.3.9b and later will not experience this problem. Versions prior to VDT 1.3.9 may have this problem, but they have not been patched. We strongly recommend installing VDT 1.3.9b or later. Note that installing "VDT 1.3.9" will install "VDT 1.3.9b", as of March 3rd, 2006, at about 3:30pm.
If you installed VDT 1.3.9 on March 3rd, 2006, or earlier, you will not have VDT 1.3.9b installed, and you should apply the fix below. That will be sufficient to fix your installation. You can tell if you have VDT 1.3.9b installed by using the vdt-version command:
> vdt-version You have installed a subset of VDT version 1.3.9b: [List of software here]If it says
VDT version 1.3.9or
VDT version 1.3.9a, you do not have the updated version, and you should apply the fix below.
Note that if you did not install the VDT as root, this is still a problem, but it will not lead to root access, but only access to the user that installed the VDT.
# Fix executable files with overly permissive rights to 0755 find . -type f -perm +0111 -perm +0022 | xargs chmod 0755 # Fix directories with overly permissive rights to 0755 # Do not change directories with 1777 rights, because they need to be that way find . -type d -perm +0022 -not -perm 1777 | xargs chmod 0755 # Fix certain non-executable files with overly permissive rights to not be writable to all for suffix in jar py csh sh pl pm conf properties; do find . -name "*.$suffix" | xargs chmod go-w; done