Thanks Chris, If you see SGE or PBS security bugs, can you forward them to this list?? Rayson --- Chris Dagdigian <dag@sonsorol.org> wrote: > > Excerpt: > > > Impact: An attacker can gain root priviledge by forcing the > 'lsadmin' > > binary to execute code of attackers choice. The 'lsadmin' binary > > is setuid root. > > > > > > Description: > > > > The 'lsadmin' binary has a "ckconfig" command. It uses it to check > the > > correctness of config files. Right after it starts, it is using the > > external 'lim' binary . It is using the LSF_SERVERDIR variable in > lsf.conf > > file to obtain a path for 'lim' binary. Regular user can make his > own > > lsf.conf file and, by using the LSF_ENVDIR variable, force > 'lsadmin' to > > use it instead of default /etc/lsf.conf file. Attacker can > therefore point > > the LSF_SERVERDIR variable to his own 'lim' binary. The attackers > 'lim' > > binary will be executed with setuid root priviledges. > > > > > > URL: > http://www.securityfocus.com/archive/1/322242/2003-05-19/2003-05-25/0 > > > > Regards, > Chris > > > -- > Chris Dagdigian, <dag@sonsorol.org> > BioTeam Inc. - Independent Bio-IT & Informatics consulting > Office: 617-666-6454, Mobile: 617-877-5498, Fax: 425-699-0193 > PGP KeyID: 83D4310E Yahoo IM: craffi Web: http://bioteam.net > > _______________________________________________ > Bioclusters maillist - Bioclusters@bioinformatics.org > https://bioinformatics.org/mailman/listinfo/bioclusters __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com