[gridengine users] qsub -V doesn't set $PATH

William Hay w.hay at ucl.ac.uk
Fri Apr 3 08:58:16 UTC 2020


On Fri, Apr 03, 2020 at 02:54:19AM +0000, Shiel, Adam wrote:
> I finally had a chance to experiment with this some.
> 
> I think one basic problem was that I had bash as a login shell. Removing bash from the login shell and specifying "qsub -S /bin/bash ...." passed my local PATH to the remote job.
> 
> But when I don't specify "-S /bin/bash" I get the csh login PATH settings. That's our default shell for the queue I'm using. 
> 
> This happens even when csh isn't in the login shell list. I find that unexpected.
> 
Shells read some initialisation files even when not invoked as a login
shell.  From the man page for csh (which is really tcsh) on one of our
clusters:

Non-login shells read only /etc/csh.cshrc and ~/.tcshrc or ~/.cshrc on startup.

So if the PATH is configured in one of those places then it will
override/modify whatever you pass in with -V or -v

William

> Adam
> 
> -----Original Message-----
> From: users-bounces at gridengine.org [mailto:users-bounces at gridengine.org] On Behalf Of Hay, William
> Sent: Wednesday, January 22, 2020 9:55 AM
> To: Skylar Thompson <skylar2 at uw.edu>
> Cc: users at gridengine.org
> Subject: Re: [gridengine users] qsub -V doesn't set $PATH
> 
> On Tue, Jan 21, 2020 at 03:51:01PM +0000, Skylar Thompson wrote:
> > -V strips out PATH and LD_LIBRARY_PATH for security reasons, since 
> > prolog
> 
> I don't think this is the case.  I've just experimented with one of our 8.1.9 clusters and I can set arbitrary PATHs run qsub -V and have the value I set show up in the environment of the job.  More likely the job is being run with a shell that is configured as a login shell and the init scripts for the shell are stomping on the value of PATH.
> 
> > and epilog scripts run with the submission environment but possibly in 
> > the context of a different user (i.e. a user could point a 
> > root-running prolog script at compromised binaries or C library).
> 
> This is something slightly different. The prolog and epilog used to run with the exact same environment as the job.  This opened up an attack vector , especially if the prolog or epilog were run as a privileged user rather than the job owner.  The environment in which the prolog and eiplog are run is now sanitised.
> 
> William
> 
> _______________________________________________
> users mailing list
> users at gridengine.org
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgridengine.org%2Fmailman%2Flistinfo%2Fusers&data=02%7C01%7C%7C7879f009a4364b7a184208d7d77e3daf%7C1faf88fea9984c5b93c9210a11d9a5c2%7C0%7C0%7C637214809518540272&sdata=YdzYQvg%2F%2BME0MEMzljKo%2BE7e13VWwJrb9PCpEIG2uQ0%3D&reserved=0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://gridengine.org/pipermail/users/attachments/20200403/df2f6b2e/attachment.sig>


More information about the users mailing list