Hi,
We noticed that recently --uid, and --gid functionality changed where
previously a user in the slurm administrators group could launch jobs
successfully with --uid, and --gid , allowing for them to submit jobs as
another user. Now, in order to use --uid, --gid, you have to be the root user.
What was the reasoning in making this change? Do people not trust the folks in
the slurm administrator group to allow this behavior? Seems odd.
This bit us awhile back when upgrading from 16.05.6 to slurm 17.11 which has
this --uid/--gid change in it. We've just recently gotten time to look into it.
We've patched slurm (a very small change) to remove the check as we need this
functionality. I'd imagine there wouldn't be any consequences from the minor
change, but would like to hear if possible why the change was made and if this
code change is a bad idea. Also, is there a better solution to allow a non-root
slurm administrator user to submit jobs as another person?
slurm/src/sbatch/opt.c
----
case LONG_OPT_UID:
if (!optarg)
break; /* Fix for Coverity false positive */
// remove the root only constraint for --uid
/*if (getuid() != 0) {
error("--uid only permitted by root user");
exit(error_exit);
}
*/
if (opt.euid != (uid_t) -1) {
error("duplicate --uid option");
exit(error_exit);
}
if (uid_from_string(optarg, &opt.euid) < 0) {
error("--uid=\"%s\" invalid", optarg);
exit(error_exit);
}
break;
case LONG_OPT_GID:
if (!optarg)
break; /* Fix for Coverity false positive */
// remove the root only constraint for --gid
/*if (getuid() != 0) {
error("--gid only permitted by root user");
exit(error_exit);
}*/
if (opt.egid != (gid_t) -1) {
error("duplicate --gid option");
exit(error_exit);
}
if (gid_from_string(optarg, &opt.egid) < 0) {
error("--gid=\"%s\" invalid", optarg);
exit(error_exit);
}
break;
----
Best,
Chris
—
Christopher Coffey
High-Performance Computing
Northern Arizona University
928-523-1167
