[Mauiusers] Re: [torqueusers] Apache/PHP based job submission portal

Steve Young chemadm at hamilton.edu
Fri May 30 08:34:42 MDT 2008 

Just a thought but what about Apache's suexec?

http://httpd.apache.org/docs/1.3/suexec.html

-Steve


On May 30, 2008, at 7:33 AM, Prakash Velayutham wrote:

> Thanks for all your responses.
>
> I think the solution Jan suggested would be nice to implement and  
> least exploitable. Please correct me if I am wrong.
>
> Jan,
>
> Do you have a skeleton code that you would be willing to provide?  
> Is this C-based?
>
> Thanks again,
> Prakash
>
>
> On May 29, 2008, at 6:30 PM, Jan Ploski wrote:
>
>> Joshua Bernstein wrote:
>>> On May 29, 2008, at 3:10 PM, Prakash Velayutham wrote:
>>>> Hi All,
>>>>
>>>> This is not a Torque or Maui question, but I am very positive  
>>>> that some of the bright guys here have this already setup in  
>>>> some form or the other.
>>>>
>>>> We have a PHP-based web application which has a compute portion  
>>>> which we want to ship out to our compute cluster. Also, the PHP  
>>>> application is secure, meaning, only authenticated users can  
>>>> submit jobs.
>>>>
>>>> My question is, how can I make the submitted jobs run as the  
>>>> logged in user and not the generic Apache user (wwwrun or www or  
>>>> somebody else based on the distro)?
>>> It should be fairly straight forward to have the PHP/Apache  
>>> application construct a job script. When the PHP scripts goes to  
>>> qsub the script, instead of just doing a system("qsub..."), You  
>>> should perhaps fork() and then setuid() to the username of user  
>>> running the job. TORQUE would therefore see the job being  
>>> submitted as the user rather then the www-data, or whatever user  
>>> the web server is running as. I could see an issue though where  
>>> the web user might not be able to setuid() to another user. I'd  
>>> hesitate to run the web server with setuid privileges... Hmmm, it  
>>> is a start though.
>>
>> I solved a similar problem by implementing a little daemon process  
>> which runs as root (and so can su to whatever user you wish) and  
>> monitors a spool directory to which the unprivileged user (such as  
>> wwwrun) has write access. The unprivileged user's process writes a  
>> request file and notifies the daemon (by making a connection to a  
>> TCP socket, another IPC mechanism could be used, too).
>>
>> You could also add wwwrun to sudoers, but that would be less secure.
>>
>> Regards,
>> Jan Ploski
>> _______________________________________________
>> torqueusers mailing list
>> torqueusers at supercluster.org
>> http://www.supercluster.org/mailman/listinfo/torqueusers
>
> Prakash Velayutham
> Programmer / Analyst
> Cincinnati Children's Hospital Medical Center
>
> _______________________________________________
> mauiusers mailing list
> mauiusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/mauiusers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.supercluster.org/pipermail/torqueusers/attachments/20080530/a9e6542b/attachment-0001.html

More information about the torqueusers mailing list