[gridengine dev] [DRAFT PATCH] Enhancement: exempt certain programs from execd control
William Hay
w.hay at ucl.ac.uk
Fri Nov 11 10:38:39 UTC 2011
On 11 November 2011 10:29, Mark Dixon <m.c.dixon at leeds.ac.uk> wrote:
> On Fri, 11 Nov 2011, William Hay wrote:
> ...
>> While I'm normally in favour of fully general facilities I wonder if
>> this is a little too general. If the purpose of the patch is to
>> exclude SGE infrastructure from being counted as part of the job then
>> could the same effect not be achieved by having qrsh drop the group
>> assigned to the job by the execd. Obvious downsides to my approach:
>>
>> i)I'm only guessing it will work as I've neither read the relevant
>> code nor tested it.
>> ii)As an obvious cause/consequence of the above my idea is pure vaporware.
>> iii)Requires that qrsh start with some privileges, check the sgeconfig
>> to get the gid_range, drop groups and then drop privileges. Errors in
>> said code could represent a security problem.
>
> Hi William, thanks for the interest :)
>
> It may well be too general a feature. I admit I cannot think of another
> good example of where it would come in useful (perhaps for starting an
> ancillary process which uses lots of h_vmem e.g. due to mmap, but very
> little real memory?). Even if this doesn't go anywhere, it has been a
> useful exercise in becoming familiar with the GE code base!
>
> Also, dropping the appropriate group with a setgroups call does work -
> I've got a proof of concept SUID wrapper to qrsh that does this.
>
> However, I really don't like the idea of using SUID root binaries where
> they're not necessary: they're a pain to make sure they do the right
> thing, a pain to install correctly, and they make people suspicious.
>
> I may well be wrong, but SUID root here looks like overkill to me.
>
>> If you don't trust your users then pointing SGE_ROOT and SGE_CELL at a
>> private SGE config could allow arbitrary programs to escape SGE's
>> clutches.
> ...
>
> Are you talking about the SUID solution here, or the suggested
> "exempt" feature?
>
> If SUID: probably ok - we're just talking about the qrsh/qsh/qlogin client
> dropping the group here. It'll escape counting of resource limits, but the
> daemon side won't. The qrsh/qsh/qlogin processes might escape being
> killed, but only if you've enabled (and are relying on) the
> ENABLE_ADDGRP_KILL feature and the daemon side doesn't terminate cleanly.
>
> If the feature: the bit that "exempts" the list of programs from resource
> counting runs within the root-owned execd, which it gets from the
> root-owned qmaster, so I'm not sure how a user would arrange this to
> happen. Job processes would be killed as normal (my subject heading was
> inaccurate).
>
> Cheers,
>
> Mark
> --
> -----------------------------------------------------------------
> Mark Dixon Email : m.c.dixon at leeds.ac.uk
> HPC/Grid Systems Support Tel (int): 35429
> Information Systems Services Tel (ext): +44(0)113 343 5429
> University of Leeds, LS2 9JT, UK
> -----------------------------------------------------------------
>
>
>
More information about the dev
mailing list