tm_adopt() vulnerability in TORQUE Resource Manager

[Chad Vizino <cvizino () adaptivecomputing com>]

Within a TORQUE Resource Manager job, the tm_adopt() TORQUE library call
enables a user-built executable calling tm_adopt() to adopt any session id
(and its child processes) regardless of the session id owner on any node
within a job. When a job that includes the executable calling tm_adopt()
exits, the adopted processes are killed along with the job processes during
normal job cleanup. This can enable a non-root user to kill processes
he/she doesn't own including root-owned ones on any node in a job.

The issue has been fixed in the following commit numbers for the listed
TORQUE Resource Manager versions:

4.2-dev
967cdc80150690459a47a35a658abeee0ca6e5cb
f2f4c950f3d461a249111c8826da3beaafccace9

4.5-dev
6c4a57b2d7a56b5bda1c57e2af425ff517ffe331

5.0-dev
e2b6253b62fe7e59c5852e2b914b71a095328558

develop
dd7f729eedead89c9253707f85572706077ff1d3

--
Chad Vizino
Adaptive Computing