[GE users] Prevent users from running their own scripts

reuti reuti at staff.uni-marburg.de
Mon Feb 16 13:23:18 GMT 2009


Am 16.02.2009 um 09:58 schrieb sanfermines:

> Thank you very much for your answers.
>
> I am trying to implement the starter_method solution, but I can't find
> the location of the "job script" that has been launched.
>
> I tried to do an echo "$@" in the starter_method script but  I got
> that script arg is /opt/sge/default/spool..... So I can't check where
> originally that script came from.

Correct. You can either make a `diff`to allowed scripts or setup a  
default to submit jobs with "-b y" in $SGE_ROOT/default/common/ 
sge_request.

Then you will get the path to the original script. Just note, that  
changing the script while a job is waiting will also change it's  
behavior, while the behavior you observed copies the script at time  
of the job submission.

-- Reuti


>
> Any ideas?
>
> thank you very much.
>
> On Thu, Feb 12, 2009 at 12:19 PM, reuti <reuti at staff.uni- 
> marburg.de> wrote:
>> Hi,
>>
>> Am 12.02.2009 um 10:06 schrieb sanfermines:
>>
>>> Users have access to write on some folders of the pc, so, they can
>>> just create their own scripts there, and later execute them using  
>>> sge.
>>>
>>> Is there anyway to prevent this to happen? For example, configuring
>>> sge to just run scripts from a determined folder?
>>
>> you would have to:
>>
>> a) disable interactive use, as you could do anything inside the
>> created shell. Then
>>
>> b) check the issued script, maybe in a "starter_method" in the queue
>> definition, whether it's allowed to be run as the name is given to
>> the starter_method as argument (like any additonal arguments).
>>
>> or, another option could be, to run only signed scripts:
>>
>> http://www.ibm.com/developerworks/linux/edu/l-dw-linux-lockdown1-
>> i.html?S_TACT=105AGX03&S_CMP=EDU
>>
>> http://www.ibm.com/developerworks/edu/l-dw-linux-lockdown2-i.html?
>> S_TACT=105AGX03&S_CMP=EDU
>>
>> -- Reuti
>>
>>
>>> I have been looking for such option but I couldn't find it. I tried
>>> even to chmod a script file to 644 but it stills executes.
>>>
>>> Thank you very much,
>>>
>>>
>>> Ignacio
>>>
>>> ------------------------------------------------------
>>> http://gridengine.sunsource.net/ds/viewMessage.do?
>>> dsForumId=38&dsMessageId=103871
>>>
>>> To unsubscribe from this discussion, e-mail: [users-
>>> unsubscribe at gridengine.sunsource.net].
>>
>> ------------------------------------------------------
>> http://gridengine.sunsource.net/ds/viewMessage.do? 
>> dsForumId=38&dsMessageId=103944
>>
>> To unsubscribe from this discussion, e-mail: [users- 
>> unsubscribe at gridengine.sunsource.net].
>>
>
> ------------------------------------------------------
> http://gridengine.sunsource.net/ds/viewMessage.do? 
> dsForumId=38&dsMessageId=107108
>
> To unsubscribe from this discussion, e-mail: [users- 
> unsubscribe at gridengine.sunsource.net].

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=107282

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list