Securing TeraGrid Community Accounts

Background

With the recent shift towards supporting the development of science gateways on the TeraGrid, there has been much debate over how to properly secure the shared resources (Community Accounts) that these gateways use to interface with RPs on the backend.

At the recent TeraGrid Gateway Security Summit, this debate and several different ideas were boiled down into a couple different security appropaches. These approaches range from not doing anything special to secure these accounts, to requiring that every program the account wishes to run be vetted by a sysadmin and authorization added for the account to run that one particular program.

Because we believe that the latter approach is probably not sustainable, and the former approach fails to provide sufficient accountability for who is doing what with the account, Sean McCreary (NCAR) and I proposed a solution that falls somewhere in the middle.

I call this solution "W^X With Path Restrictions". The basic requirements of this approach are as follows:

Absolutely no direct login access will be allowed to any computer.
All work must be submitted through a grid gatekeeper.
Accounts will only be able to execute programs with specifically approved paths. However, any executable in an approved path may be run.
Accounts will not be able to execute any program that they could potentially modify.

The reasoning behind these requirements is as follows:

In addition to being a security risk, login accounts for which the stated intention is to share the credentials between more than one person are a direct violation of Purdue's site security policy. By disallowing direct access and ensuring that all work is accounted for, we basically turn these into generic service accounts instead.
By limiting the path, we ensure that even in the event of a comprimise, the account can only be used as the gateway developers intended, and cannot execute arbitrary system commands. If the path is set cleverly (for example, to a gateway community software area), we can also determine who is responsible for each program a community account runs simply by looking at the ownership and permissions on that executable.
By preventing the execution of any program the community account could modify, we prevent the circumvention of any of our previous security measures.
By only restricting the path and not maintaining a list of individual allowed executables, we make it easier for gateway developers to deploy new applications or modify existing applications without the need for sysadmin assistance.

Implementation

In order to fulfill the above requirements, we have developed the following implementation at Purdue for securing community accounts:

When a community account is created, we set the login shell on all our systems to the string "nologin". This string was chosen mostly because it has special meaning in our local account management software, which is beyond the scope of this document. However, any invalid login shell (one that does not exist, is not listed in /etc/shells, or does not allow any login access) will work. Setting the shell this way actually provides two safeguards against login access. First, on any system that uses an appropriately configured PAM stack for authentication, login attempts will be denied for any account which does not have a valid login shell listed in /etc/shells. Second, on systems that do not use PAM or where PAM is not configured to make this check, login attempts will fail because the system will not be able to exec the account's shell.
As with all TeraGrid accounts, we do not return a password to gateway developers for their community account at Purdue. We require that all sessions for these accounts be authenticated with either certificates or SSH keys.
Because community accounts at Purdue do not have direct login capabilities, we generally don't mind if they modify their own .profile, .ssh, .rhosts, or similar files. Therefore, we place no restrictions on the account's home directory, other than not being able to execute any program stored there, which will be described later.
We have applied this patch from NCSA to our Globus job manager script. This patch allows the admin to specify an arbitrary command that Globus will run prior to the start of the job to filter commands for community accounts. To use this patch in our approach, we have just changed the value of " FILTER_COMMAND" to our own job validation script.
We use this script to filter commands for community accounts at Purdue. The script reads in a list of community accounts and authorized paths from a file, and checks the path of the requested executable against the list of authorized paths if the account running the job is a community account. It also checks to make sure that the community account does not have write access or ownership on the requested executable or any of its parent directories. Note that you'll probably have to change the location of "job_perm_file" inside this script to something appropriate for your site. An example job_perm file is provided.
When a community account is created, we also create a community software area and a developer group with write access to this area. We require all developers to obtain their own individual TeraGrid accounts and use them to upload software for the gateway.

With this approach, we can ensure that the only access a community account has to Purdue systems is the ability to run specific jobs after being authenticated and logged through a grid gatekeeper. By restricting the list of authorized paths to the community software area, we ensure the account can only be used for gateway related purposes and can only run software installed by the developers. It is then expected that the gateway developers will ensure the security of their applications and not allow the account to be used for anything malicious. However, should they fail to meet that expectation, the amount of damage the community account can do is somewhat limited, and it can always be deactivated completely in the event of an incident. Furthermore, this approach gives us some degree of accountability with respect to who is responsible for the software a community account runs and who used the community account to run what jobs at what times.

Caveats

Take care when setting the allowed paths for the account. It may be possible to escape the restricted environment and run arbitrary commands if the path is set too broadly. If programs from common system locations need to be run, it may be better to add a symlink to those programs from another directory and add that to the path.
Since this approach does not require every incoming executable to be vetted by a sysadmin, it does not protect against mistakes on the part of the gateway developers. If they write a program that allows the community account to bypass these restrictions, it will not provent this. It may be prudent to ensure the developers are using good security techniques before enabling the community account.

Last Updated: Mon, Nov 8, 2010 10:25 Author: gveldman