[GE users] qresub as other user

Andreas Haas Andreas.Haas at Sun.COM
Mon Nov 21 10:59:44 GMT 2005

On Mon, 21 Nov 2005, Andy Schwierskott wrote:

> > Doing qresub of some other users job script allows you to access his/her job
> > script. Just imagine if there is anything confidential inside the script.
> ??? Why?
> If a do qresub of another job where from I should get higher priveleges? Of
> course the new job would have to be submitted under the username/groupnanme
> of the qresub user.

I agree with respect to all other job attributes. But my point here is
solely about the *job script* itself. Read/execute access by some other
users isn't unproblematic as the job script could contain something
confidential. Without qresub access isn't possible since Grid Engine
provides no documented interface for reading other users job scripts.

This brings me to undocumented interfaces: I just encounter there is an issue
with qmaster spooled job scripts being readable by world

   > cd $SGE_ROOT/default/spool/qmaster/job_scripts/
   > ls
   1604  1605  1606  1607  1608  1609
   > ll
   total 18
   drwxr-xr-x   2 codadmin staff       2048 Nov 21 11:24 .
   drwxr-xr-x   4 codadmin staff        512 Oct 28 17:44 ..
   -rw-r--r--   1 codadmin staff        326 Nov 17 15:21 1604
   -rw-r--r--   1 codadmin staff        326 Nov 17 15:21 1605
   -rw-r--r--   1 codadmin staff        326 Nov 21 11:23 1606
   -rw-r--r--   1 codadmin staff        326 Nov 21 11:23 1607
   -rw-r--r--   1 codadmin staff        326 Nov 21 11:23 1608
   -rw-r--r--   1 codadmin staff        326 Nov 21 11:24 1609

shouldn't that be changed? Due to availability of qresub there shouldn't be
a reason to open those files for read access by world. Then I believe job
scripts aren't accessable except if the primary group of Grid Engine admin
user is also used by regular users.

> As I explained above anyone can fully mimic qresub with existing qstat/qsub
> options.

But not his/her job script.

> You even could do nice things with it: An admin can submit "template" jobs
> and put a hold on theses jobs. Any user could reuse these jobs without the
> need to have access to the job script and no interference of any existing
> global/local "sge_request" file.

I just encountered the issue was no issue as it turned out that qresub
for other users anyways works only if that user has manager priviledges.


To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net

More information about the gridengine-users mailing list