Privilege Separation in Condor

1
Privilege Separation in Condor
2
Principle of Least Privilege

• Every program and every user of the system
  should operate using the least set of privileges
  necessary to complete the job.
• Saltzer and Schroeder, 1975

3
User IDs in Condor

• An unprivileged account for Condors files and
  processes

• Unprivileged accounts for regular users who
  submit jobs to Condor

• The machine-wide superuser

4
Un-Separated Condor
Condor Daemon
Files
Processes
5
PrivSep Goals

• Reduce the part of Condor that runs with
  superuser privileges to a small PrivSep Kernel
• Restrict actions that Condor can perform via the
  PrivSep Kernel to a reasonable minimum for
  Condors operation

6
PrivSep Kernel
Condor Daemon
PrivSep Kernel checks if requested operation is
authorized
PrivSep Kernel
7
PrivSep Kernel Operations

• File Operations
• Change ownership of a directory tree
• Delete a directory tree
• Perform an open or rename operation as a regular
  user

• Process Operations
• Execute program as a regular user
• Signal a process
• Suspend, continue, or kill a process family
• Get process family usage info

8
PrivSep Kernel Implementation

• Switchboard
• Supports the file system operations and ability
  to create processes as regular users
• ProcD
• Support the rest of the process operations

9
Implementation The PrivSep Switchboard

• root-owned setuid binary
• Configured to allow a single account (condor) to
  use its operations
• Limits on what actions it will perform are
  defined in a root-owned configuration file

10
Switchboard rm -rf
StartD
remove the directory tree at /condor/execute/dir_
1234
Switchboard
dir_1234 is in a Condor-managed directory,
so Ill go ahead
11
Switchboard Open as User
SchedD
open file X as user gquinn
Switchboard
12
Implementation The ProcD

• Tracks the family tree of the Condor Master
• Allows Condor to signal and gather accounting
  data for processes under its control
• Runs as root (its part of the PrivSep Kernel)
• Like the Switchboard, only accepts commands from
  the condor user account

13
Implementation The ProcD
ProcD
Master
send a SIGTERM to Job B
StartD
Starter
Starter
SIGTERM
Job B
Job A
14
Execute Side
Master

• PrivSep Kernel provides everything needed for
  full privilege separation
• File transfer is accomplished by changing the
  ownership of the jobs sandbox to the condor user
  temporarily

ProcD
StartD
Switch- board
Starter
15
Submit Side
Master

• Cannot take care of file transfer via chown
• File transfer logic needs to be executed in a
  separate, user-owned process (the TransferD)

ProcD
SchedD
Switch- board
Shadow
16
The TransferD
SchedD
sends data to the execute side
TransferD
Shadow
17
Current Status

• PrivSep Kernel is implemented completely on UNIX,
  ProcD-only on Windows
• Execute-side has been modified to use the PrivSep
  Kernel, and can now run as an unprivileged user
• TransferD implementation is complete
• Submit-side integration with PrivSep Kernel and
  TransferD yet to come

18
Questions?