Greg Quinn Computer Sciences Department University of Wisconsin-Madison Privilege Separation in Condor

Principle of Least Privilege › “Every program and every user of the system should operate using the least set of privileges necessary to complete the job.”  Saltzer and Schroeder, 1975

user User IDs in Condor › An unprivileged account for Condor’s files and processes › Unprivileged accounts for regular users who submit jobs to Condor › The machine-wide superuser condoruserroot

Un-Separated Condor Condor Daemon condorroot Files Processes user

PrivSep: Goals 1. Reduce the part of Condor that runs with superuser privileges to a small “PrivSep Kernel” 2. Restrict actions that Condor can perform via the PrivSep Kernel to a reasonable minimum for Condor’s operation

PrivSep Kernel Condor Daemon PrivSep Kernel checks if requested operation is authorized PrivSep Kernel

PrivSep Kernel Operations › File Operations  Change ownership of a directory tree  Delete a directory tree  Perform an open or rename operation as a regular user › Process Operations  Execute program as a regular user  Signal a process  Suspend, continue, or kill a process family  Get process family usage info

PrivSep Kernel Implementation › Switchboard  Supports the file system operations and ability to create processes as regular users › ProcD  Support the rest of the process operations

Implementation: The PrivSep Switchboard › root-owned setuid binary › Configured to allow a single account (condor) to use its operations › Limits on what actions it will perform are defined in a root-owned configuration file

Switchboard: rm -rf StartD Switchboard “remove the directory tree at /condor/execute/dir_1234” “dir_1234 is in a Condor-managed directory, so I’ll go ahead”

Switchboard: Open as User SchedD Switchboard “open file X as user gquinn”

Implementation: The ProcD › Tracks the “family tree” of the Condor Master › Allows Condor to signal and gather accounting data for processes under its control › Runs as root (it’s part of the PrivSep Kernel) › Like the Switchboard, only accepts commands from the condor user account

Implementation: The ProcD ProcDMaster StartD Starter Job BJob A “send a SIGTERM to Job B” SIGTERM

Execute Side Master StartD Starter ProcD Switch- board › PrivSep Kernel provides everything needed for full privilege separation › File transfer is accomplished by changing the ownership of the job’s sandbox to the condor user temporarily

Submit Side Master SchedD Shadow ProcD Switch- board › Cannot take care of file transfer via chown › File transfer logic needs to be executed in a separate, user- owned process (the TransferD)

The TransferD SchedD Shadow TransferD sends data to the execute side

Current Status › PrivSep Kernel is implemented completely on UNIX, ProcD-only on Windows › Execute-side has been modified to use the PrivSep Kernel, and can now run as an unprivileged user › TransferD implementation is complete › Submit-side integration with PrivSep Kernel and TransferD yet to come

Questions?