Linux Condor security and bug fix update

Posted on in Categories CentOS, fedora linux, Linux, Linux distribution, package management, RedHat/Fedora Linux, Security Alert, Sys admin last updated August 12, 2008

Condor is a specialized workload management system for compute-intensive jobs. It provides a job queuing mechanism, scheduling policy, priority scheme, and resource monitoring and management.

A flaw was found in the way Condor interpreted wildcards in authorization lists. Certain authorization lists using wildcards in DENY rules, such as DENY_WRITE or HOSTDENY_WRITE, that conflict with the definitions in ALLOW rules, could permit authenticated remote users to submit computation jobs,
even when such access should have been denied. (CVE-2008-3424)

How do I fix this bug in Condor Software?

Type the following command to fix this bug
# up2date -u
If you are using Red Hat Enterprise MRG 1, enter:
# yum update

Bug Fixed in this update

* the /etc/condor/condor_config file started with “What machine is your
central manager?”. The following line was blank, instead of having the
“CONDOR_HOST” option, causing confusion. The “What machine…” text is now

* condor_config.local defined “LOCK = /tmp/[lock file]”. This is no longer
explicitly defined; however, lock files may be in “/tmp/”, and could be
removed by tmpwatch. A “LOCK_FILE_UPDATE_INTERVAL” option, which defaults
to eight hours, has been added. This updates the timestamps on lock files,
preventing them from being removed by tools such as tmpwatch.

* when a “SCHEDD_NAME” name in condor_config ended with an “@”, the
system’s hostname was appended. For example, if “SCHEDD_NAME = test@” was
configured, “condor_q -name test@” failed with an “Collector has no record
of schedd/submitter” error. Now, the hostname is not appended when a name
ends with an “@”. In High Availability (HA) Schedd deployments, this allows
a name to be shared by multiple Schedds.

* when too few arguments were passed to “condor_qedit”, such as
“condor_qedit -constraint TRUE”, a segfault occurred. Better argument
handling has been added to resolve this.

* due to missing common_createddl.sql and pgsql_createddl.sql files,
it was not possible to use Quill. Now, these files are included in

* “condor_submit -dump ad [file-name]” caused a segfault if the [file-name]
job contained “universe = grid”.

* previously, a condor user and group were created if they did not exist,
without specifying a specific UID and GID. Now, UID and GID 64 are used.
The effect of this change is non-existent if upgrading the condor packages.
If an existing condor user and group are manually changed, problems with
file ownership will occur.

Configuration changes (from the Condor release notes – see link below):

* a new CKPT_SERVER_CHECK_PARENT_INTERVAL variable sets the time interval
between a checkpoint server checking if its parent is running. If the
parent server has died, the checkpoint server is shut down.

* a new CKPT_PROBE variable to define an executable for the helper process
Condor uses for information about the CheckpointPlatform attribute.

* STARTER_UPLOAD_TIMEOUT now defaults to 300 seconds.

* new variables (booleans) PREEMPTION_REQUIREMENTS_STABLE and
PREEMPTION_RANK_STABLE, configure whether attributes used in

default value of 5, defines the number of simultaneous WS destroy commands
that can be sent to a server for type gt4 grid universe jobs.

* now, VALID_SPOOL_FILES automatically includes the “SCHEDD.lock” lock file
for condor_schedd HA failover.

* the default value for SEC_DEFAULT_SESSION_DURATION has been changed from
8640000 seconds (100 days) to 86400 seconds (one day).

Important: these updated packages upgrade Condor to version 7.0.4. For a
full list of changes, refer to the Condor release notes:

condor users should upgrade to these updated packages, which resolve these

Leave a Comment