The Maui Scheduler uses the Java Cryptix library (download from http://www.cryptix.org/) to handle authentication and to secure all scheduler socket communication. The various components use the Blowfish cipher and rely on the integrity of a shared secret key file.
maui.key file should not be stored in a network-mounted
directory. If you are building the Maui Scheduler source from
scratch, we suggest using the following flag to the configure script:
Make sure you securely copy the
/etc/maui/maui.key file to
all machines in the cluster! We suggest scp.
maui.key file is installed with restricted permissions. You need
to insure that these don't get changed. You only want the Maui
Scheduler user (and root) to be able to read the key.
Users that are allowed to login to your cluster system are allowed to use Maui unless you put a lock on the user's account in the Maui database.
Authentication of users is accomplished through a
program which is setuid -> Maui Scheduler user The client verifies
the real uid of the user executing the command and can transmit this
information to the Maui daemon securely by encrypting with the secret
client_wrap is setuid -> Maui Scheduler user. Normally
you wouldn't call this program by itself, but all client commands are
wrapped with this so that they can communicate securely with the Maui
sss is the Secure Start Shell. This is a
privilege-escalation script allowing only the Maui Scheduler user to
launch jobs as other users on the system (or run tasks as root).
Because of the sss program, it should be noted that a compromise of the Maui Scheduler user account is equivalent to root on all your nodes! (If you find a simpler way of getting root, we'd like to hear about it. :) We currently do not support any other privilege-escalation mechanisms but would welcome your patches to do so.
Please don't hesitate to alert us (and send exploit code) if you find insecurities in these various programs and how the Maui Scheduler invokes them.
Prolog and epilog scripts (local and remote) are executed with root privilege, but the Maui Scheduler strips the environment down to just the "MAUI_" variables. These do not necessarily have to be scripts too, you could execute binaries if you wanted to.
Maui defaults to listening on a non-privileged port (>1024).
Potentially a malicious user could start another program listening to
this port and masquerade as maui. This should only be a
problem if the security of the
maui.key file had been compromised.