[Mauiusers] Re: [torqueusers] Apache/PHP based job submission
chemadm at hamilton.edu
Fri May 30 08:34:42 MDT 2008
Just a thought but what about Apache's suexec?
On May 30, 2008, at 7:33 AM, Prakash Velayutham wrote:
> Thanks for all your responses.
> I think the solution Jan suggested would be nice to implement and
> least exploitable. Please correct me if I am wrong.
> Do you have a skeleton code that you would be willing to provide?
> Is this C-based?
> Thanks again,
> On May 29, 2008, at 6:30 PM, Jan Ploski wrote:
>> Joshua Bernstein wrote:
>>> On May 29, 2008, at 3:10 PM, Prakash Velayutham wrote:
>>>> Hi All,
>>>> This is not a Torque or Maui question, but I am very positive
>>>> that some of the bright guys here have this already setup in
>>>> some form or the other.
>>>> We have a PHP-based web application which has a compute portion
>>>> which we want to ship out to our compute cluster. Also, the PHP
>>>> application is secure, meaning, only authenticated users can
>>>> submit jobs.
>>>> My question is, how can I make the submitted jobs run as the
>>>> logged in user and not the generic Apache user (wwwrun or www or
>>>> somebody else based on the distro)?
>>> It should be fairly straight forward to have the PHP/Apache
>>> application construct a job script. When the PHP scripts goes to
>>> qsub the script, instead of just doing a system("qsub..."), You
>>> should perhaps fork() and then setuid() to the username of user
>>> running the job. TORQUE would therefore see the job being
>>> submitted as the user rather then the www-data, or whatever user
>>> the web server is running as. I could see an issue though where
>>> the web user might not be able to setuid() to another user. I'd
>>> hesitate to run the web server with setuid privileges... Hmmm, it
>>> is a start though.
>> I solved a similar problem by implementing a little daemon process
>> which runs as root (and so can su to whatever user you wish) and
>> monitors a spool directory to which the unprivileged user (such as
>> wwwrun) has write access. The unprivileged user's process writes a
>> request file and notifies the daemon (by making a connection to a
>> TCP socket, another IPC mechanism could be used, too).
>> You could also add wwwrun to sudoers, but that would be less secure.
>> Jan Ploski
>> torqueusers mailing list
>> torqueusers at supercluster.org
> Prakash Velayutham
> Programmer / Analyst
> Cincinnati Children's Hospital Medical Center
> mauiusers mailing list
> mauiusers at supercluster.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the torqueusers