[torqueusers] Apache/PHP based job submission portal

Prakash Velayutham Prakash.Velayutham at cchmc.org
Fri May 30 05:33:27 MDT 2008 

Thanks for all your responses.

I think the solution Jan suggested would be nice to implement and  
least exploitable. Please correct me if I am wrong.

Jan,

Do you have a skeleton code that you would be willing to provide? Is  
this C-based?

Thanks again,
Prakash


On May 29, 2008, at 6:30 PM, Jan Ploski wrote:

> Joshua Bernstein wrote:
>> On May 29, 2008, at 3:10 PM, Prakash Velayutham wrote:
>>> Hi All,
>>>
>>> This is not a Torque or Maui question, but I am very positive that  
>>> some of the bright guys here have this already setup in some form  
>>> or the other.
>>>
>>> We have a PHP-based web application which has a compute portion  
>>> which we want to ship out to our compute cluster. Also, the PHP  
>>> application is secure, meaning, only authenticated users can  
>>> submit jobs.
>>>
>>> My question is, how can I make the submitted jobs run as the  
>>> logged in user and not the generic Apache user (wwwrun or www or  
>>> somebody else based on the distro)?
>> It should be fairly straight forward to have the PHP/Apache  
>> application construct a job script. When the PHP scripts goes to  
>> qsub the script, instead of just doing a system("qsub..."), You  
>> should perhaps fork() and then setuid() to the username of user  
>> running the job. TORQUE would therefore see the job being submitted  
>> as the user rather then the www-data, or whatever user the web  
>> server is running as. I could see an issue though where the web  
>> user might not be able to setuid() to another user. I'd hesitate to  
>> run the web server with setuid privileges... Hmmm, it is a start  
>> though.
>
> I solved a similar problem by implementing a little daemon process  
> which runs as root (and so can su to whatever user you wish) and  
> monitors a spool directory to which the unprivileged user (such as  
> wwwrun) has write access. The unprivileged user's process writes a  
> request file and notifies the daemon (by making a connection to a  
> TCP socket, another IPC mechanism could be used, too).
>
> You could also add wwwrun to sudoers, but that would be less secure.
>
> Regards,
> Jan Ploski
> _______________________________________________
> torqueusers mailing list
> torqueusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/torqueusers

Prakash Velayutham
Programmer / Analyst
Cincinnati Children's Hospital Medical Center

More information about the torqueusers mailing list