[torqueusers] Prevent users to run commands directly

James E. Prewett download at hpc.unm.edu
Fri Nov 9 10:49:55 MST 2012


Have you considered using the pam_pbssimpleauth PAM module?  It avoids 
problems with munging the access.conf file, etc. and is IMHO better than 
the /etc/nologin solution as a user who has been allocated that node by 
Torque will be able to log in independant of that job (but only while that 
job is running) so as to monitor the progress of their jobs, etc.

I /really/ don't like the idea of modifying system files as a part of 
these scripts.  I've seen too many instances where the file gets munged 
either because of a bug in the script or some horrible coincidence (like 
the power gets pulled part-way through writing the file!).  I was had a 
colleague blow away /etc/passwd due to a scheme like this. :)

The down-side of allowing the users to log in like this is that you have 
to implement scripts that will kill all processes belonging to the user 
when the job exits, and, if you allow multiple jobs per node, you've got 
to be careful not to kill the wrong processes should a user have multiple 
jobs on a node!

Either way, you've got some scripting to do, but I feel the 
pam_pbssimpleauth solution is really the cleanest that I've seen.  It can 
be found in the Torque distribution tarball and is simple to compile and 
install (make sure you have the necessary PAM development 
libraries/packages for your system! :) .

HTH,
Jim

James E. Prewett                    Jim at Prewett.org download at hpc.unm.edu 
Systems Team Leader           LoGS: http://www.hpc.unm.edu/~download/LoGS/ 
Designated Security Officer         OpenPGP key: pub 1024D/31816D93 
HPC Systems Engineer III   UNM HPC  505.277.8210

On Fri, 9 Nov 2012, Jeff Anderson-Lee wrote:

> Login and ssh check to see if /etc/nologin is there and will disallow
> non-root logins if it is present.
>
> http://linux.about.com/library/cmd/blcmdl5_nologin.htm
>
> Note that this will only work if (a) users only request one node per
> job, or (b) you have some other channel for them to start their other
> processes, since by default your job is only started on one node in one
> process. For our use case it works. For many others it might not.
>
> Jeff
>
> On 11/9/2012 12:05 AM, Mahmood Naderan wrote:
>>> A cron job that repeatedly touches /etc/nologin seems to do it for us
>> What is that file? I don't have that.
>>
>>
>> Regards,
>> Mahmood
>>
>>
>>
>> ----- Original Message -----
>> From: Jeff Anderson-Lee <jonah at eecs.berkeley.edu>
>> To: Torque Users Mailing List <torqueusers at supercluster.org>
>> Cc:
>> Sent: Thursday, November 8, 2012 6:20 PM
>> Subject: Re: [torqueusers] Prevent users to run commands directly
>>
>> A cron job that repeatedly touches /etc/nologin seems to do it for us.
>>
>> Jeff
>>
>> On 11/7/2012 7:34 PM, Henryk Modzelewski wrote:
>>> Mahmood,
>>>
>>> A clean solution is to use mom's prologue/epilogue to modify /etc/security/access.conf to add/remove particular user access privileges as controlled by pam access module. Users can still cheat around this once they have jobs running, but it takes some creativity to do so. I have been using this solution effectively for many years, and only occasionally had to punish somebody by deleting their non-torque processes.
>>>
>>> Henryk
>>> _______________________________________________________
>>> Henryk Modzelewski, UBC EOS, SLIM/WFRT
>>> Contact info: http://www.eos.ubc.ca/~henryk/
>>>
>>> "If you get the results that you expected,
>>> it does not always mean that you get the correct results."
>>> _______________________________________________________
>>>
>>> On Nov 7, 2012, at 6:40 AM, Mahmood Naderan wrote:
>>>
>>>> I asked a similar question before
>>>> http://www.supercluster.org/pipermail/torqueusers/2011-February/012283.html
>>>>
>>>> There were some good points but I didn't implement a script. In general, to find out
>>>>
>>>> if a running process has used qsub or not, you have to track the parents of the pid.
>>>>
>>>> At the end, if you reach pbs_mom, then user has used qsub. Else he directly ran the
>>>>
>>>> application. Then you can write a cron job and check the parents running processes
>>>>
>>>> every hour.
>>>>
>>>>
>>>> Regards,
>>>> Mahmood
>>>>
>>>>
>>>>
>>>> ________________________________
>>>> From: Pablo Guaza Peces <pabloguaza at ugr.es>
>>>> To: Torque Users Mailing List <torqueusers at supercluster.org>
>>>> Sent: Wednesday, November 7, 2012 11:13 AM
>>>> Subject: [torqueusers] Prevent users to run commands directly
>>>>
>>>> Hi Everybody!
>>>> I just got my little cluster ready for execution and I was wondering if there's a way to prevent users to execute their programs directly, and only allow them to do that through Torque with qsub command.
>>>>
>>>> I guess that all the programs that are run directly form the terminal bypassing Torque, prevent it to be 'conscious' of the resources usage, is that right?
>>>>
>>>> Cheers
>>>> _______________________________________________
>>>> torqueusers mailing list
>>>> torqueusers at supercluster.org
>>>> http://www.supercluster.org/mailman/listinfo/torqueusers
>>>> _______________________________________________
>>>> torqueusers mailing list
>>>> torqueusers at supercluster.org
>>>> http://www.supercluster.org/mailman/listinfo/torqueusers
>>> _______________________________________________
>>> torqueusers mailing list
>>> torqueusers at supercluster.org
>>> http://www.supercluster.org/mailman/listinfo/torqueusers
>> _______________________________________________
>> torqueusers mailing list
>> torqueusers at supercluster.org
>> http://www.supercluster.org/mailman/listinfo/torqueusers
>>
>> _______________________________________________
>> torqueusers mailing list
>> torqueusers at supercluster.org
>> http://www.supercluster.org/mailman/listinfo/torqueusers
>
> _______________________________________________
> torqueusers mailing list
> torqueusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/torqueusers
>


More information about the torqueusers mailing list