5

I'm using Slurm. I want users only to access their own /home/ directory (or directory that they executed their job), ubuntu packages that is installed by the sudo user, and binary files user /bin, such as: ls, cat, rm etc.

I do not want each user to have any read/write access to the other users' files and important files such as /etc/passwd.

I observe that when any slurm-job runs under a new user, it can read all files under the root (/) directory such as /etc/passwd.

From the starting point of the Is it possible to force SLURM to have access to only job's running folder and not alter any other file? the answer, it has been recommended to use chroot:

If you want to make sure your job has no way to write outside of a specific directory, you can use the chroot command in your job submission script, but that seems a bit odd and less easy to manage than UNIX permissions.

The chroot() system call changes the process’s root directory to the directory specified by pathname

Is it possible to run users' jobs in the chroot environment (chroot()-jailed) using Slurm?

As an alternative solution, I have controlled the files access is through UNIX permissions, where a job can only write where the submitting user has permission to write, please see: slurm: How to submit a job under another user and prevent to read other users' files?

alper
  • 2,919
  • 9
  • 53
  • 102

2 Answers2

1

I do not want each user to have any read/write access to the other users' files and important files such as /etc/passwd.

It is normal for users to be allowed to read /etc/passwd, it is necessary for many operations. Sensitive information such as password hashes, which originally were stored in /etc/passwd, are nowadays stored in /etc/shadown in all Linux distributions.

I observe that when any slurm-job runs under a new user, it can read all files under the root (/) directory such as /etc/passwd.

Again, it is normal for regular users to be able to read files in / ; it enables them to access installed software, see information about their processes, etc.

Only /root should be readable by root only.

As for the files of other users, they will typically be in /home so make sure that the sub-directories in /home are 700 are are owned by their respective users.

Files in /etc might also hold sensitive information, but package managers often make sure the proper permissions are set on this files.

If you are concerned about privacy, you should also configure Slurm to disable node sharing and to keep accounting information private. See more information here.

damienfrancois
  • 52,978
  • 9
  • 96
  • 110
  • As I understnad `/etc/passwd` might bring vulnability unless shadow passwords are not used (https://security.stackexchange.com/a/92769/179928). And also by entering incorrect passwords for usernames that are learned from `/etc/passwd`, hence failed login attempts may lead to lock user accounts. – alper Nov 21 '19 at 06:32
  • I get your point, but that reasoning holds for intruders, not for regular users. If you trust someone enough to give them SSH access to your machine, allowing them to read the `/etc/passwd` is a normal course of operations. If you do not trust them, either start a [restricted shell](https://en.wikipedia.org/wiki/Restricted_shell) in a [virtual machine](https://slurm.schedmd.com/SLUG15/SlurmVM.pdf) for each of them or do not give them access at all. – damienfrancois Nov 22 '19 at 08:06
  • I am sorry bounty has expired, I was not able to accept before the time ended :( – alper Nov 22 '19 at 08:08
  • No worries about the bounty :) – damienfrancois Nov 22 '19 at 08:09
  • I am using slurm on a cluster where any user can submitting their jobs over an application without having SSH access. That's why as cluster they have no trust to users (any user can submit a job) since their only goal is to run their jobs. That's why I am trying to come up with a design where users won't able to do any harm on clusters with their jobs and won't able to read other users' jobs. – alper Nov 22 '19 at 08:11
  • I have done `chmod 700` as you suggested and give only access to the user's base folder for only the user itself and root slurm user using `setfacl -R -m user:$USERNAME:rwx $BASEDIR/$USERNAME`. Please see for more details: https://gist.github.com/avatar-lavventura/e96818ed930741538c03f469414502cd . But still all the users will have complete access to `/etc` path, I am not sure will they cause any damage to cluster with this setup. – alper Nov 22 '19 at 08:17
  • Assuming the users are authenticated in the application, my previous comment holds, just read 'access through the application' rather than 'SSH access'. – damienfrancois Nov 22 '19 at 08:20
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/202856/discussion-between-alper-and-damienfrancois). – alper Nov 22 '19 at 08:21
0

You shouldn't have to use chroot do achieve what you want, because what you want is the normal behaviour. Thus, I think there is something wrong with your set-up. The configuration parameter SlurmdUser, which runs the slurmd daemon is root by default, but even in that case, the job itself, which is started by slurmd, should be owned by the user who submitted the jobs. Then the user can then only have read and write access to resources with the appropriate permissions, such their own home directory.

Having said the above, I don't actually have any experience of Slurm on Ubuntun, so something may indeed be slighly broken there.

loris
  • 450
  • 8
  • 20