[GE users] Prevent users from running their own scripts

sanfermines sanfermines at gmail.com
Thu Feb 19 09:58:45 GMT 2009


I finally did a diff of the script launched and all files in my
scripts directory.

It works perfectly.

Thank you very much for your help.


On Mon, Feb 16, 2009 at 2:23 PM, reuti <reuti at staff.uni-marburg.de> wrote:
> Am 16.02.2009 um 09:58 schrieb sanfermines:
>
>> Thank you very much for your answers.
>>
>> I am trying to implement the starter_method solution, but I can't find
>> the location of the "job script" that has been launched.
>>
>> I tried to do an echo "$@" in the starter_method script but  I got
>> that script arg is /opt/sge/default/spool..... So I can't check where
>> originally that script came from.
>
> Correct. You can either make a `diff`to allowed scripts or setup a
> default to submit jobs with "-b y" in $SGE_ROOT/default/common/
> sge_request.
>
> Then you will get the path to the original script. Just note, that
> changing the script while a job is waiting will also change it's
> behavior, while the behavior you observed copies the script at time
> of the job submission.
>
> -- Reuti
>
>
>>
>> Any ideas?
>>
>> thank you very much.
>>
>> On Thu, Feb 12, 2009 at 12:19 PM, reuti <reuti at staff.uni-
>> marburg.de> wrote:
>>> Hi,
>>>
>>> Am 12.02.2009 um 10:06 schrieb sanfermines:
>>>
>>>> Users have access to write on some folders of the pc, so, they can
>>>> just create their own scripts there, and later execute them using
>>>> sge.
>>>>
>>>> Is there anyway to prevent this to happen? For example, configuring
>>>> sge to just run scripts from a determined folder?
>>>
>>> you would have to:
>>>
>>> a) disable interactive use, as you could do anything inside the
>>> created shell. Then
>>>
>>> b) check the issued script, maybe in a "starter_method" in the queue
>>> definition, whether it's allowed to be run as the name is given to
>>> the starter_method as argument (like any additonal arguments).
>>>
>>> or, another option could be, to run only signed scripts:
>>>
>>> http://www.ibm.com/developerworks/linux/edu/l-dw-linux-lockdown1-
>>> i.html?S_TACT=105AGX03&S_CMP=EDU
>>>
>>> http://www.ibm.com/developerworks/edu/l-dw-linux-lockdown2-i.html?
>>> S_TACT=105AGX03&S_CMP=EDU
>>>
>>> -- Reuti
>>>
>>>
>>>> I have been looking for such option but I couldn't find it. I tried
>>>> even to chmod a script file to 644 but it stills executes.
>>>>
>>>> Thank you very much,
>>>>
>>>>
>>>> Ignacio
>>>>
>>>> ------------------------------------------------------
>>>> http://gridengine.sunsource.net/ds/viewMessage.do?
>>>> dsForumId=38&dsMessageId=103871
>>>>
>>>> To unsubscribe from this discussion, e-mail: [users-
>>>> unsubscribe at gridengine.sunsource.net].
>>>
>>> ------------------------------------------------------
>>> http://gridengine.sunsource.net/ds/viewMessage.do?
>>> dsForumId=38&dsMessageId=103944
>>>
>>> To unsubscribe from this discussion, e-mail: [users-
>>> unsubscribe at gridengine.sunsource.net].
>>>
>>
>> ------------------------------------------------------
>> http://gridengine.sunsource.net/ds/viewMessage.do?
>> dsForumId=38&dsMessageId=107108
>>
>> To unsubscribe from this discussion, e-mail: [users-
>> unsubscribe at gridengine.sunsource.net].
>
> ------------------------------------------------------
> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=107282
>
> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=109659

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list