Security aspects
In OAR, security and user switching is managed by the “oardodo” command. It is
a suid binary which can be executed only by root and the oar group members that
is used to launch a command, a terminal or a script with the privileges of a
particular user. When “oardodo” is called, it checks the value of an
environment variable: OARDO_BECOME_USER
.
If this variable is empty, “oardodo” will execute the command with the privileges of the superuser (root).
Else, this variable contains the name of the user that will be used to execute the command.
Here are the scripts/modules where “oardodo” is called and which user is used during this call:
OAR::Modules::Judas: this module is used for logging and notification.
user notification: email or command execution. OARDO_BECOME_USER = user
oarsub: this script is used for submitting jobs or reservations.
read user script
connection to the job and the remote shell
keys management
job key export
for all these functions, the user used in the OARDO_BECOME_USER variable is the user that submits the job.
pingchecker: this module is used to check resources health. Here, the user is root.
oarexec: executed on the first reserved node, oarexec executes the job prologue and initiate the job.
the “clean” method kills every oarsub connection process in superuser mode
“kill_children” method kills every child of the process in superuser mode
execution of a passive job in user mode
getting of the user shell in user mode
checkpointing in superuser mode
job_resource_manager: The job_resource_manager script is a perl script that oar server deploys on nodes to manage cpusets, users, job keys…
cpuset creation and clean is executed in superuser mode
oarsh_shell: shell program used with the oarsh script. It adds its own process in the cpuset and launches the shell or the script of the user.
cpuset filling, “nice” and display management are executed as root.
TTY login is executed as user.
oarsh: oar’s ssh wrapper to connect from node to node. It contains all the context variables usefull for this connection.
- display management and connection with a user job key file are executed
as user.