Platform LSF Administration Guide Version 6.2

ManualsBrandsHP ManualsSoftwareHP XC System 3.x Software

561

562

563

564

565

566

567

568

569

570

Chapter 40

Authentication

Administering Platform LSF

569

LSF allows both the setuid and identification daemon methods to be in effect

simultaneously. If the effective user ID of a load-sharing application is root, then a

privileged port number is used in contacting RES. RES always accepts requests from a

privileged port on a known host even if LSF_AUTH is defined to be

ident. If the

effective user ID of the application is not root, and the LSF_AUTH parameter is defined

to be

ident, then a normal port number is used and RES tries to contact the

identification daemon to verify the user’s identity.

setuid permission on LSF administration commands

The LSF administration commands (lsadmin and badmin, etc.) are installed setuid

by default. All other LSF commands except the administration commands can be run

without

setuid permission if an identification daemon is used.

If your file server does not permit

setuid permission, you should install LSF_BINDIR

on a file system that does allow

setuid.

Security of LSF authentication

All authentication methods supported by LSF depend on the security of the root

account on all hosts in the cluster. If a user can get access to the root account, they can

subvert any of the authentication methods. There are no known security holes that allow

a non-root user to execute programs with another user’s permission.

Some system adminstrators have particular concerns about security schemes involving

RFC 1413 identification daemons. When a request is coming from an unknown host,

there is no way to know whether the identification daemon on that host is correctly

identifying the originating user.

LSF only accepts job execution requests that originate from hosts within the LSF cluster,

so the identification daemon can be trusted.

The system environment variable LSF_ENVDIR is used by LSF to obtain the location

lsf.conf, which points to the LSF configuration files. Any user who can modify

system environment variables can modify LSF_ENVDIR to point to their own

configuration and start up programs under the

lsfadmin account.

All external binaries invoked by the LSF daemons (such as

esub, eexec, elim, eauth,

and queue level pre- and post-execution commands) are run under the

lsfadmin

account.

UNIX

By default, external authentication is installed on UNIX. If you use the identification

protocol (

identd) for authentication, LSF uses a port in the UNIX privileged port

range, so it is not possible for an ordinary user to start a hacked identification daemon

on an LSF host.

On UNIX, this means that authentication is done using privileged ports and binaries

that need to be authenticated (for example,

bsub) are installed setuid to root.

Windows

By default, external authentication is installed on Windows. You may disable external

authentication by disabling the LSF_AUTH parameter in the

lsf.conf file.

On Windows, privileged ports authentication does not provide any security because

Windows does not have the concept of

setuid binaries and does not restrict which

binaries can use privileged ports. A security risk exists in that a user can discover the