(RHSA-2008:0814) Moderate: condor security and bug fix update

Condor is a specialized workload management system for compute-intensive
jobs. It provides a job queuing mechanism, scheduling policy, priority
scheme, and resource monitoring and management.

A flaw was found in the way Condor interpreted wildcards in authorization
lists. Certain authorization lists using wildcards in DENY rules, such as
DENY_WRITE or HOSTDENY_WRITE, that conflict with the definitions in ALLOW
rules, could permit authenticated remote users to submit computation jobs,
even when such access should have been denied. (CVE-2008-3424)

Bug fixes:

• the /etc/condor/condor_config file started with “What machine is your
  central manager?”. The following line was blank, instead of having the
  “CONDOR_HOST” option, causing confusion. The “What machine…” text is now
  removed.

• condor_config.local defined “LOCK = /tmp/[lock file]”. This is no longer
  explicitly defined; however, lock files may be in “/tmp/”, and could be
  removed by tmpwatch. A “LOCK_FILE_UPDATE_INTERVAL” option, which defaults
  to eight hours, has been added. This updates the timestamps on lock files,
  preventing them from being removed by tools such as tmpwatch.

• when a “SCHEDD_NAME” name in condor_config ended with an “@”, the
  system’s hostname was appended. For example, if “SCHEDD_NAME = test@” was
  configured, “condor_q -name test@” failed with an “Collector has no record
  of schedd/submitter” error. Now, the hostname is not appended when a name
  ends with an “@”. In High Availability (HA) Schedd deployments, this allows
  a name to be shared by multiple Schedds.

• when too few arguments were passed to “condor_qedit”, such as
  “condor_qedit -constraint TRUE”, a segfault occurred. Better argument
  handling has been added to resolve this.

• due to missing common_createddl.sql and pgsql_createddl.sql files,
  it was not possible to use Quill. Now, these files are included in
  “/usr/share/condor/sql/”.

• “condor_submit -dump ad [file-name]” caused a segfault if the [file-name]
  job contained “universe = grid”.

• previously, a condor user and group were created if they did not exist,
  without specifying a specific UID and GID. Now, UID and GID 64 are used.
  The effect of this change is non-existent if upgrading the condor packages.
  If an existing condor user and group are manually changed, problems with
  file ownership will occur.

Configuration changes (from the Condor release notes - see link below):

• a new CKPT_SERVER_CHECK_PARENT_INTERVAL variable sets the time interval
  between a checkpoint server checking if its parent is running. If the
  parent server has died, the checkpoint server is shut down.

• a new CKPT_PROBE variable to define an executable for the helper process
  Condor uses for information about the CheckpointPlatform attribute.

• STARTER_UPLOAD_TIMEOUT now defaults to 300 seconds.

• new variables (booleans) PREEMPTION_REQUIREMENTS_STABLE and
  PREEMPTION_RANK_STABLE, configure whether attributes used in
  PREEMPTION_REQUIREMENTS and PREEMPTION_RANK change during negotiation
  cycles.

• a new GRIDMANAGER_MAX_WS_DESTROYS_PER_RESOURCE variable, with a
  default value of 5, defines the number of simultaneous WS destroy commands
  that can be sent to a server for type gt4 grid universe jobs.

• now, VALID_SPOOL_FILES automatically includes the “SCHEDD.lock” lock file
  for condor_schedd HA failover.

• the default value for SEC_DEFAULT_SESSION_DURATION has been changed from
  8640000 seconds (100 days) to 86400 seconds (one day).

Important: these updated packages upgrade Condor to version 7.0.4. For a
full list of changes, refer to the Condor release notes:
www.cs.wisc.edu/condor/manual/v7.0/8_3Stable_Release.html

condor users should upgrade to these updated packages, which resolve these
issues.