Next Previous Contents

8. Security

The Maui Scheduler uses the Java Cryptix library (download from http://www.cryptix.org/) to handle authentication and to secure all scheduler socket communication. The various components use the Blowfish cipher and rely on the integrity of a shared secret key file.

8.1 Key file

The maui.key file should not be stored in a network-mounted directory. If you are building the Maui Scheduler source from scratch, we suggest using the following flag to the configure script: --sysconfdir=/etc/maui

Make sure you securely copy the /etc/maui/maui.key file to all machines in the cluster! We suggest scp.

The maui.key file is installed with restricted permissions. You need to insure that these don't get changed. You only want the Maui Scheduler user (and root) to be able to read the key.

8.2 Client Wrapper

Users that are allowed to login to your cluster system are allowed to use Maui unless you put a lock on the user's account in the Maui database.

Authentication of users is accomplished through a client_wrap program which is setuid -> Maui Scheduler user The client verifies the real uid of the user executing the command and can transmit this information to the Maui daemon securely by encrypting with the secret key.

client_wrap is setuid -> Maui Scheduler user. Normally you wouldn't call this program by itself, but all client commands are wrapped with this so that they can communicate securely with the Maui Scheduler.

8.3 Secure Start Shell

The sss is the Secure Start Shell. This is a privilege-escalation script allowing only the Maui Scheduler user to launch jobs as other users on the system (or run tasks as root).

Because of the sss program, it should be noted that a compromise of the Maui Scheduler user account is equivalent to root on all your nodes! (If you find a simpler way of getting root, we'd like to hear about it. :) We currently do not support any other privilege-escalation mechanisms but would welcome your patches to do so.

Please don't hesitate to alert us (and send exploit code) if you find insecurities in these various programs and how the Maui Scheduler invokes them.

8.4 Security Notes

Prolog and epilog scripts (local and remote) are executed with root privilege, but the Maui Scheduler strips the environment down to just the "MAUI_" variables. These do not necessarily have to be scripts too, you could execute binaries if you wanted to.

Maui defaults to listening on a non-privileged port (>1024). Potentially a malicious user could start another program listening to this port and masquerade as maui. This should only be a problem if the security of the maui.key file had been compromised.


Next Previous Contents