[Pkg-gridengine-devel] Bug#693722: Bug#693722: gridengine: use recent version and updated packaging

Wed Nov 28 23:13:39 UTC 2012

Michael Banck <mbanck at debian.org> writes:

> Hi Dave,
>
> we are currently at a squeeze bug-squashing-party, so I took a look.
>
> On Sun, Nov 18, 2012 at 11:02:49PM +0000, Dave Love wrote:
>> I've worked on packaging for SGE to address problems with the current
>> version and to support (pre-release) SGE 8.1.3, though it will work with
>> the 8.1.2 with minor changes.  The sge source
>> <https://arc.liv.ac.uk/trac/SGE/browser/sge> now has simple packaging
>> for installing into /opt/sge, but this is different.
>
> Do you prefer to change the source package name from "gridengine" to
> "sge", or would keeping "gridengine" be fine?

I don't care.  I kept "gridengine" for the RPM package, following the
old Fedora one, but that might have a mistake.  The debian files in the
base version (installing into /opt) use "sge" to try to avoid confusion,
and I don't see any particular reason to change your packaging.

> It would be great if we could have a minimal changeset for the testing
> version to apply.

You can cherry pick as you like, but I don't know what you'd consider
minimal, and I'm afraid I don't have time to spend on an old version.  I
can probably identify patches from the repo corresponding to NEWS items
if they're difficult to find..

>> I've tagged this security as this version:
>> * allows installing in CSP mode;
>
> Is that a big change?

If you mean in code, it involves shipping all the relevant files.  I
don't know why they're not included.  It's an important change to
include them IMNSHO.

>> * changes the default configuration to avoid remote root without CSP,
>>   assuming a separate qmaster <http://arc.liv.ac.uk/SGE/howto/sge-security.html>;
>
> Is that something which could be backpatched easily to the version in
> testing?

There must be some misunderstanding.  It's trivial -- compare the two
configuration files.  Is the web page above not clear enough?

>> * fixes problems with sgepasswd (now included) which weren't addressed by
>>   6.2u5-7.1 changes;
>
> As sgepasswd is not yet included, this one appears not to apply.

It is in my version, but see my comments on the bug tracker on the
6.2u5-7.1 change.

>> * avoids the remote startup part of the CVE that the bogus 6.2u5-7.1
>>   change didn't get right.
>
> Can you elaborate on that and/or provide the patch/changeset needed to
> fix this up?

I wouldn't bother.  My environment sanitization (that the security
people seem to have rejected in favour of an incomplete one) is as
secure as sudo's, and it's irrelevant without at least a uidmin change
to avoid an easy remote root.  Using builtin startup avoids the issue
too, but is more important for getting tight integration.  For the
change to avoid passing the user environment, you could search for "CVE"
in the changesets under https://arc.liv.ac.uk/trac/SGE/.

There's a bunch of more-or-less important stuff in the version 8 code
apart from buffer overflows and other daemon crashes -- see NEWS.

I don't know if any of that helps...