1. Greg Quinn Computer Sciences Department University of Wisconsin-Madison gquinn@cs.wisc.edu http://www.cs.wisc.edu/condor Privilege Separation in Condor

2. www.cs.wisc.edu/condor Principle of Least Privilege › “Every program and every user of the system should operate using the least set of privileges necessary to complete the job.”  Saltzer and Schroeder, 1975

3. www.cs.wisc.edu/condor user User IDs in Condor › An unprivileged account for Condor’s files and processes › Unprivileged accounts for regular users who submit jobs to Condor › The machine-wide superuser condoruserroot

4. www.cs.wisc.edu/condor Un-Separated Condor Condor Daemon condorroot Files Processes user

5. www.cs.wisc.edu/condor PrivSep: Goals 1. Reduce the part of Condor that runs with superuser privileges to a small “PrivSep Kernel” 2. Restrict actions that Condor can perform via the PrivSep Kernel to a reasonable minimum for Condor’s operation

6. www.cs.wisc.edu/condor PrivSep Kernel Condor Daemon PrivSep Kernel checks if requested operation is authorized PrivSep Kernel

7. www.cs.wisc.edu/condor PrivSep Kernel Operations › File Operations  Change ownership of a directory tree  Delete a directory tree  Perform an open or rename operation as a regular user › Process Operations  Execute program as a regular user  Signal a process  Suspend, continue, or kill a process family  Get process family usage info

8. www.cs.wisc.edu/condor PrivSep Kernel Implementation › Switchboard  Supports the file system operations and ability to create processes as regular users › ProcD  Support the rest of the process operations

9. www.cs.wisc.edu/condor Implementation: The PrivSep Switchboard › root-owned setuid binary › Configured to allow a single account (condor) to use its operations › Limits on what actions it will perform are defined in a root-owned configuration file

10. www.cs.wisc.edu/condor Switchboard: rm -rf StartD Switchboard “remove the directory tree at /condor/execute/dir_1234” “dir_1234 is in a Condor-managed directory, so I’ll go ahead”

11. www.cs.wisc.edu/condor Switchboard: Open as User SchedD Switchboard “open file X as user gquinn”

12. www.cs.wisc.edu/condor Implementation: The ProcD › Tracks the “family tree” of the Condor Master › Allows Condor to signal and gather accounting data for processes under its control › Runs as root (it’s part of the PrivSep Kernel) › Like the Switchboard, only accepts commands from the condor user account

13. www.cs.wisc.edu/condor Implementation: The ProcD ProcDMaster StartD Starter Job BJob A “send a SIGTERM to Job B” SIGTERM

14. www.cs.wisc.edu/condor Execute Side Master StartD Starter ProcD Switch- board › PrivSep Kernel provides everything needed for full privilege separation › File transfer is accomplished by changing the ownership of the job’s sandbox to the condor user temporarily

15. www.cs.wisc.edu/condor Submit Side Master SchedD Shadow ProcD Switch- board › Cannot take care of file transfer via chown › File transfer logic needs to be executed in a separate, user- owned process (the TransferD)

16. www.cs.wisc.edu/condor The TransferD SchedD Shadow TransferD sends data to the execute side

17. www.cs.wisc.edu/condor Current Status › PrivSep Kernel is implemented completely on UNIX, ProcD-only on Windows › Execute-side has been modified to use the PrivSep Kernel, and can now run as an unprivileged user › TransferD implementation is complete › Submit-side integration with PrivSep Kernel and TransferD yet to come

18. www.cs.wisc.edu/condor Questions?