Project

General

Profile

Bug #3072

Security issues with distributed execution

Added by Chad Berkley over 11 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
distributed execution
Target version:
Start date:
01/16/2008
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:
3072

Description

See bug 3071. basically, the issues are that arbitrary code can be executed on the slaves so the utmost care needs to be take wrt security. kar files need to be signed, workflows should also possibly be signed. the command line and scripting actors might need additional security built into them. This basically breaks the java sandbox.

History

#1 Updated by Christopher Brooks over 11 years ago

Ptolemy is reasonably well set up to use the Java sandbox, see $PTII/doc/sandbox.htm for details.

The sandbox has fairly fine granularity, by default the execution
of subprocesses is probably disabled.

See $PTII/bin/sandbox.policy for what is enabled.

Perhaps remote kepler processes should be started up in a sandbox in the default,
with the command line and scripting actors defacto disabled?

#2 Updated by Matt Jones over 11 years ago

Its the ability to use the command line actor (for access to various custom simulation models) and the scripting actors like the RExpression actor (to do various custom data processing tasks) that would make distributed execution useful. Eliminating these from the actors available essentially eliminates a vast majority of workflows that a scientist would want to run in a distributed environment. This is a major security/capability dilemma.

#3 Updated by jianwu jianwu over 9 years ago

It can be configured by permission policy file at slave side. Users who start slave will know their requirements and do the corresponding configuration. How to change policy file to permit and forbid ExternalExe and Python actor has been tested. Matlab and R scripting actors are also being tested.

#4 Updated by jianwu jianwu about 9 years ago

It is fixed at version 24539. When a slave is started using startWithExecutionPolicy command, it will use master-slave.policy file to run in a secure sandbox.

By default, it will not allow 'External Execution', 'Python', 'Matlab', 'R'
actors to be executed at the slave side, since there may be malicious codes embedded in these actors.

By configuration this file, the allowance for the above actors can be configured.

#5 Updated by Redmine Admin about 6 years ago

Original Bugzilla ID was 3072

Also available in: Atom PDF