[Mauiusers] Re: [torqueusers] Apache/PHP based job submission portal

Prakash Velayutham Prakash.Velayutham at cchmc.org
Fri May 30 08:43:14 MDT 2008


Hi Steve,

For that to work, I have to make the PHP scripts run as CGI instead of  
mod_php and that is currently not desirable at my site.

Unless, someone here can confirm that in the same physical server I  
can run certain Virtual Hosts with PHP as CGI and in other VHs run PHP  
as mod_php??

Thanks for the suggestion,
Prakash


On May 30, 2008, at 10:34 AM, Steve Young wrote:

> Just a thought but what about Apache's suexec?
>
> http://httpd.apache.org/docs/1.3/suexec.html
>
> -Steve
>
>
> On May 30, 2008, at 7:33 AM, Prakash Velayutham wrote:
>
>> Thanks for all your responses.
>>
>> I think the solution Jan suggested would be nice to implement and  
>> least exploitable. Please correct me if I am wrong.
>>
>> Jan,
>>
>> Do you have a skeleton code that you would be willing to provide?  
>> Is this C-based?
>>
>> Thanks again,
>> Prakash
>>
>>
>> On May 29, 2008, at 6:30 PM, Jan Ploski wrote:
>>
>>> Joshua Bernstein wrote:
>>>> On May 29, 2008, at 3:10 PM, Prakash Velayutham wrote:
>>>>> Hi All,
>>>>>
>>>>> This is not a Torque or Maui question, but I am very positive  
>>>>> that some of the bright guys here have this already setup in  
>>>>> some form or the other.
>>>>>
>>>>> We have a PHP-based web application which has a compute portion  
>>>>> which we want to ship out to our compute cluster. Also, the PHP  
>>>>> application is secure, meaning, only authenticated users can  
>>>>> submit jobs.
>>>>>
>>>>> My question is, how can I make the submitted jobs run as the  
>>>>> logged in user and not the generic Apache user (wwwrun or www or  
>>>>> somebody else based on the distro)?
>>>> It should be fairly straight forward to have the PHP/Apache  
>>>> application construct a job script. When the PHP scripts goes to  
>>>> qsub the script, instead of just doing a system("qsub..."), You  
>>>> should perhaps fork() and then setuid() to the username of user  
>>>> running the job. TORQUE would therefore see the job being  
>>>> submitted as the user rather then the www-data, or whatever user  
>>>> the web server is running as. I could see an issue though where  
>>>> the web user might not be able to setuid() to another user. I'd  
>>>> hesitate to run the web server with setuid privileges... Hmmm, it  
>>>> is a start though.
>>>
>>> I solved a similar problem by implementing a little daemon process  
>>> which runs as root (and so can su to whatever user you wish) and  
>>> monitors a spool directory to which the unprivileged user (such as  
>>> wwwrun) has write access. The unprivileged user's process writes a  
>>> request file and notifies the daemon (by making a connection to a  
>>> TCP socket, another IPC mechanism could be used, too).
>>>
>>> You could also add wwwrun to sudoers, but that would be less secure.
>>>
>>> Regards,
>>> Jan Ploski
>>> _______________________________________________
>>> torqueusers mailing list
>>> torqueusers at supercluster.org
>>> http://www.supercluster.org/mailman/listinfo/torqueusers
>>
>> Prakash Velayutham
>> Programmer / Analyst
>> Cincinnati Children's Hospital Medical Center
>>
>> _______________________________________________
>> mauiusers mailing list
>> mauiusers at supercluster.org
>> http://www.supercluster.org/mailman/listinfo/mauiusers
>
> _______________________________________________
> torqueusers mailing list
> torqueusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/torqueusers

Prakash Velayutham
Programmer / Analyst
Cincinnati Children's Hospital Medical Center

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.supercluster.org/pipermail/mauiusers/attachments/20080530/2943a9f4/attachment-0001.html


More information about the mauiusers mailing list