Skip to first unread message
Pablo Maldonado
Apr 17, 2019, 6:30:08 PM4/17/19
to schedulix
Hello I wanted to know if it is possible to run a job with another user different from the owner of the jobserver.
Thank you so much
Pablo Maldonado
Ronald Jeninga
Apr 18, 2019, 8:03:57 AM4/18/19
to schedulix
Hi Pablo,
the easiest would be to use "sudo" in the run program, I think.
But it depends a little on the exact specification.
In some PoC we've built a simple shell script that evaluates an environment variable that indicates as which user the job should run.
Then it calls sudo that changes user to the desired user and calls the jobexecutor.
Basically (this is more pseudo code than real code):
#!/bin/bash
# some parameter checking
exec sudo <some configuration> $BICSUITEHOME/bin/jobexecutor $*
And in the jobserver's configuration the JOBEXECUTOR entry is then replaced with the full qualified name of the script.
The main challenge here is to configure sudo in a way that this remains secure (but doesn't ask for passwords).
And as an alternative you could install an extra jobserver that runs as root.
The jobserver should be owned by ADMIN. This prevents job executions as root by non-administrators.
OK, this suggestion doesn't answer your question, but it describes our basic concept.
Best regards,
Ronald
Dieter Stubler
Apr 18, 2019, 8:08:52 AM4/18/19
to schedulix
Hi,
This is completely under user responsibility and we do not feel guilty for security breaks caused by this method.
schedulix was designed to be as secure as possible.
Running jobs as other users as the jobserver agent is running, would require root or sudo privileges to do so.
That's why we did not implement that.
Running jobs as other users as the jobserver agent is running, would require root or sudo privileges to do so.
That's why we did not implement that.
Our recommendation is, to run a jobserver agents for every user jobs should run with.
However, there is a way to customize schedulix to do so.
This is completely under user responsibility and we do not feel guilty for security breaks caused by this method.
It works like this:
Create a script, lets call it sudoExecutor.sh with the following content:
export JOBEXECUTOR="/opt/schedulix/schedulix/bin/jobexecutor"
if [ "$RUNAS" != "" ]
then
sudo -i -u "$RUNAS" id
if [ $? != 0 ]
then
# 'jobexecutor exited with exit code = 50' Will be displayed in job error message if sud fails
exit 50
fi# Make the taskfile of the job writable for the RUNAS user
chmod 666 $2
exec sudo -i -u "$RUNAS" "$JOBEXECUTOR" $*
fi
exec "$JOBEXECUTOR" $*
Adapt the JOBEXECUTOR path to your installation if necessary.
Now you can create a parameter of a job with 'Export Name' == 'RUNAS' containing the user the job should run with.
Of course, the user originally running the job server has to have the necessary sudo privileges.
Of course, the user originally running the job server has to have the necessary sudo privileges.
This is just a POC how to do that. To make it save, there is maybe more to do check privileges.
Please note, that you have to be very careful not introducing any security problems when doing this.
Hope that helps you further.
Regards
Dieter
Dieter
Dieter Stubler
Apr 18, 2019, 8:12:10 AM4/18/19
to schedulix
Hi,
I forgot one detail.
To make this work you have to change jor jobserver config to use the script as jobexecutor.
To make this work you have to change jor jobserver config to use the script as jobexecutor.
JOBEXECUTOR=path_to_sudoExecutor.sh
sudoExecutor.sh has to be executable for the user running the jobserver agent.
Regards
Dieter
Dieter
Pablo Maldonado
Apr 18, 2019, 11:00:13 AM4/18/19
to schedulix
Dieter and Ronald
Thank you very much for your suggestions and I will see what is best.
Pablo Maldonado
Reply all
Reply to author
Forward
0 new messages