How to run jobs with root

41 views
Skip to first unread message

Pablo Maldonado

unread,
Apr 17, 2019, 6:30:08 PM4/17/19
to schedulix
Hello I wanted to know if it is possible to run a job with another user different from the owner of the jobserver.

Thank you so much

Pablo Maldonado

Ronald Jeninga

unread,
Apr 18, 2019, 8:03:57 AM4/18/19
to schedulix
Hi Pablo,

the easiest would be to use "sudo" in the run program, I think.
But it depends a little on the exact specification.

In some PoC we've built a simple shell script that evaluates an environment variable that indicates as which user the job should run.
Then it calls sudo that changes user to the desired user and calls the jobexecutor.
Basically (this is more pseudo code than real code):

#!/bin/bash
# some parameter checking
exec sudo <some configuration> $BICSUITEHOME/bin/jobexecutor $*

And in the jobserver's configuration the JOBEXECUTOR entry is then replaced with the full qualified name of the script.
The main challenge here is to configure sudo in a way that this remains secure (but doesn't ask for passwords).

And as an alternative you could install an extra jobserver that runs as root.
The jobserver should be owned by ADMIN. This prevents job executions as root by non-administrators.
OK, this suggestion doesn't answer your question, but it describes our basic concept.

Best regards,

Ronald

Dieter Stubler

unread,
Apr 18, 2019, 8:08:52 AM4/18/19
to schedulix
Hi,

schedulix was designed to be as secure as possible.
Running jobs as other users as the jobserver agent is running, would require root or sudo privileges to do so.
That's why we did not implement that.

Our recommendation is, to run a jobserver agents for every user jobs should run with.

However, there is a way to customize schedulix to do so.

This is completely under user responsibility and we do not feel guilty for security breaks caused by this method.

It works like this:

Create a script, lets call it sudoExecutor.sh with the following content:

export JOBEXECUTOR="/opt/schedulix/schedulix/bin/jobexecutor"

if [ "$RUNAS" != "" ]
then
    sudo -i -u "$RUNAS" id
        if [ $? != 0 ]
        then
            # 'jobexecutor exited with exit code = 50' Will be displayed in job error message if sud fails
            exit 50

        fi

    # Make the taskfile of the job writable for the RUNAS user
    chmod 666 $2
    exec sudo -i -u "$RUNAS" "$JOBEXECUTOR" $*
fi

exec "$JOBEXECUTOR" $*

Adapt the JOBEXECUTOR path to your installation if necessary. 

Now you can create a parameter of a job with 'Export Name' == 'RUNAS' containing the user the job should run with.
Of course, the user originally running the job server has to have the necessary sudo privileges.
This is just a POC how to do that. To make it save, there is maybe more to do check privileges.

Please note, that you have to be very careful not introducing any security problems when doing this.

Hope that helps you further.

Regards
Dieter

Dieter Stubler

unread,
Apr 18, 2019, 8:12:10 AM4/18/19
to schedulix
Hi,

I forgot one detail.
To make this work you have to change jor jobserver config to use the script as jobexecutor.
JOBEXECUTOR=path_to_sudoExecutor.sh

sudoExecutor.sh has to be executable for the user running the jobserver agent.

Regards
Dieter

Pablo Maldonado

unread,
Apr 18, 2019, 11:00:13 AM4/18/19
to schedulix
Dieter and Ronald

Thank you very much for your suggestions and I will see what is best.

Pablo Maldonado
Reply all
Reply to author
Forward
0 new messages