[torqueusers] Prevent users to run commands directly

Jeff Anderson-Lee jonah at eecs.berkeley.edu
Fri Nov 9 10:24:48 MST 2012


Login and ssh check to see if /etc/nologin is there and will disallow 
non-root logins if it is present.

http://linux.about.com/library/cmd/blcmdl5_nologin.htm

Note that this will only work if (a) users only request one node per 
job, or (b) you have some other channel for them to start their other 
processes, since by default your job is only started on one node in one 
process. For our use case it works. For many others it might not.

Jeff

On 11/9/2012 12:05 AM, Mahmood Naderan wrote:
>> A cron job that repeatedly touches /etc/nologin seems to do it for us
> What is that file? I don't have that.
>   
>
> Regards,
> Mahmood
>
>
>
> ----- Original Message -----
> From: Jeff Anderson-Lee <jonah at eecs.berkeley.edu>
> To: Torque Users Mailing List <torqueusers at supercluster.org>
> Cc:
> Sent: Thursday, November 8, 2012 6:20 PM
> Subject: Re: [torqueusers] Prevent users to run commands directly
>
> A cron job that repeatedly touches /etc/nologin seems to do it for us.
>
> Jeff
>
> On 11/7/2012 7:34 PM, Henryk Modzelewski wrote:
>> Mahmood,
>>
>> A clean solution is to use mom's prologue/epilogue to modify /etc/security/access.conf to add/remove particular user access privileges as controlled by pam access module. Users can still cheat around this once they have jobs running, but it takes some creativity to do so. I have been using this solution effectively for many years, and only occasionally had to punish somebody by deleting their non-torque processes.
>>
>> Henryk
>> _______________________________________________________
>> Henryk Modzelewski, UBC EOS, SLIM/WFRT
>> Contact info: http://www.eos.ubc.ca/~henryk/
>>
>> "If you get the results that you expected,
>> it does not always mean that you get the correct results."
>> _______________________________________________________
>>
>> On Nov 7, 2012, at 6:40 AM, Mahmood Naderan wrote:
>>
>>> I asked a similar question before
>>> http://www.supercluster.org/pipermail/torqueusers/2011-February/012283.html
>>>
>>> There were some good points but I didn't implement a script. In general, to find out
>>>
>>> if a running process has used qsub or not, you have to track the parents of the pid.
>>>
>>> At the end, if you reach pbs_mom, then user has used qsub. Else he directly ran the
>>>
>>> application. Then you can write a cron job and check the parents running processes
>>>
>>> every hour.
>>>
>>>
>>> Regards,
>>> Mahmood
>>>
>>>
>>>
>>> ________________________________
>>> From: Pablo Guaza Peces <pabloguaza at ugr.es>
>>> To: Torque Users Mailing List <torqueusers at supercluster.org>
>>> Sent: Wednesday, November 7, 2012 11:13 AM
>>> Subject: [torqueusers] Prevent users to run commands directly
>>>
>>> Hi Everybody!
>>> I just got my little cluster ready for execution and I was wondering if there's a way to prevent users to execute their programs directly, and only allow them to do that through Torque with qsub command.
>>>
>>> I guess that all the programs that are run directly form the terminal bypassing Torque, prevent it to be 'conscious' of the resources usage, is that right?
>>>
>>> Cheers
>>> _______________________________________________
>>> torqueusers mailing list
>>> torqueusers at supercluster.org
>>> http://www.supercluster.org/mailman/listinfo/torqueusers
>>> _______________________________________________
>>> torqueusers mailing list
>>> torqueusers at supercluster.org
>>> http://www.supercluster.org/mailman/listinfo/torqueusers
>> _______________________________________________
>> torqueusers mailing list
>> torqueusers at supercluster.org
>> http://www.supercluster.org/mailman/listinfo/torqueusers
> _______________________________________________
> torqueusers mailing list
> torqueusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/torqueusers
>
> _______________________________________________
> torqueusers mailing list
> torqueusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/torqueusers



More information about the torqueusers mailing list