[torqueusers] Prevent users to run commands directly

Michael Jennings mej at lbl.gov
Sun Nov 11 01:02:37 MST 2012

On Wed, Nov 7, 2012 at 2:13 AM, Pablo Guaza Peces <pabloguaza at ugr.es> wrote:

> I just got my little cluster ready for execution and I was wondering if there's a way to prevent users to execute their programs directly, and only allow them to do that through Torque with qsub command.

You've gotten a lot of suggestions already, Pablo, but I wanted to
offer 1 more.  :-)

The Warewulf Node Health Check utility[1] has a built-in check called
check_ps_unauth_users which checks the compute nodes for processes
which are not owned by either (1) an authorized/system user, or (2) a
user with at least 1 job running on the node.  When such processes are
found, the check can take a few different actions, including
logging/syslogging the event, marking the node as "unhealthy," or even
killing the process(es).  Any or all actions can be taken for each
"rogue" process found.

The NHC method has some advantages over the other suggestions you've
received.  It doesn't alter system files, so you don't have to worry
about corruption.  It's not restricted to checking only on job
completion like an epilogue-based utility would be.  Also, while the
pbssimpleauth PAM module will prevent users from logging in if they
don't have a job running, it can't do anything about kicking them off
once they're in.  NHC's technique is capable of killing users'
processes as soon as they're no longer authorized to be on the node,
even if they've changed their session ID or used other techniques to
circumvent detection.  So it essentially does double-duty as both a
stray process scanner and a policy enforcement tool.  :-)

And there's nothing to stop you from using more than one technique.
The PAM module has the advantage of being proactive rather than
reactive, and an epilogue script has access to specific job details
that NHC doesn't.  So it might be prudent to use 2 or even all 3 of
these tools.  They aren't mutually exclusive, and they each have their
own advantages.

Good luck!

[1] - http://warewulf.lbl.gov/trac/wiki/Node%20Health%20Check

Michael Jennings <mej at lbl.gov>
Senior HPC Systems Engineer
High-Performance Computing Services
Lawrence Berkeley National Laboratory
Bldg 50B-3209E        W: 510-495-2687
MS 050B-3209          F: 510-486-8615

More information about the torqueusers mailing list