[prev in list] [next in list] [prev in thread] [next in thread] 

List:       grid-engine-dev
Subject:    Re: [GE dev] qsub preprocessor/filter
From:       Nick Maclaren <nmm1 () cus ! cam ! ac ! uk>
Date:       2004-07-22 10:34:33
Message-ID: E1BnauH-0006lQ-VJ () libra ! cus ! cam ! ac ! uk
[Download RAW message or body]

> > Appendix D  'qsub wrapper'
> > When the file '/usr/local/sbin/torque_submitfiler'
> > exists, TORQUE will send
> > the command file to that script/executable and allow
> > it to modify anything
> > based on specific site policies.  The resulting file
> > is then handed back to
> > qsub and processing continues.
> 
> While this is nice, I think a bigger problem is that
> users who submit their jobs using DRMAA may be able to
> get a backdoor.
> 
> LSF also has something called the "bsub wrapper", but
> if users submit the jobs via using the API, I think
> they will also get a backdoor too!

It is secure under Loadleveler.  If I get time (ha, ha!), I mean to
do it properly in Gridengine and send the changes.  In particular,
this would enable us to allow users to use qmon to submit jobs.

We have done this with both LSF and Gridengine.  I have never bothered
to make it secure, as our users are responsible enough (well, mostly)
and few enough that we can police by hand.  The purpose of the wrapper
is to simplify their life by specifying the appropriate combinations,
more than to restrict what they can do.  The things that are locked out
generally don't work, anyway - e.g. checkpointing.

It is actually quite easy to do securely.  I did this once for the X
Windowing System to hammer the idiots who used 'xhost +'.  You create
a group and a setgid wrapper program, which the user calls as qsub.
That then calls the prefilter, which calls the real qsub, which is
either made executable only by that group, or placed in a directory
searchable only by that group.  Depending on which group model you 
have, the wrapper program has to vary a bit (generally, you want to
set a secondary group, not the primary one) - and you may have to 
fiddle a bit at the far end, too.


Regards,
Nick Maclaren,
University of Cambridge Computing Service,
New Museums Site, Pembroke Street, Cambridge CB2 3QH, England.
Email:  nmm1@cam.ac.uk
Tel.:  +44 1223 334761    Fax:  +44 1223 334679

[prev in list] [next in list] [prev in thread] [next in thread]