[slurm-users] --uid , --gid option is root only now :'(

Christopher Benjamin Coffey Chris.Coffey at nau.edu
Thu May 10 12:48:16 MDT 2018 

Hi,

We noticed that recently --uid, and --gid functionality changed where previously a user in the slurm administrators group could launch jobs successfully with --uid, and --gid , allowing for them to submit jobs as another user. Now, in order to use --uid, --gid, you have to be the root user.

What was the reasoning in making this change? Do people not trust the folks in the slurm administrator group to allow this behavior? Seems odd.

This bit us awhile back when upgrading from 16.05.6 to slurm 17.11 which has this --uid/--gid change in it. We've just recently gotten time to look into it. We've patched slurm (a very small change) to remove the check as we need this functionality. I'd imagine there wouldn't be any consequences from the minor change, but would like to hear if possible why the change was made and if this code change is a bad idea. Also, is there a better solution to allow a non-root slurm administrator user to submit jobs as another person?

slurm/src/sbatch/opt.c

----
case LONG_OPT_UID:
                        if (!optarg)
                                break;  /* Fix for Coverity false positive */
                        // remove the root only constraint for --uid
                        /*if (getuid() != 0) {
                                error("--uid only permitted by root user");
                                exit(error_exit);
                        }
                        */
                        if (opt.euid != (uid_t) -1) {
                                error("duplicate --uid option");
                                exit(error_exit);
                        }
                        if (uid_from_string(optarg, &opt.euid) < 0) {
                                error("--uid=\"%s\" invalid", optarg);
                                exit(error_exit);
                        }
                        break;

case LONG_OPT_GID:
                        if (!optarg)
                                break;  /* Fix for Coverity false positive */
                        // remove the root only constraint for --gid
                        /*if (getuid() != 0) {
                                error("--gid only permitted by root user");
                                exit(error_exit);
                        }*/
                        if (opt.egid != (gid_t) -1) {
                                error("duplicate --gid option");
                                exit(error_exit);
                        }
                        if (gid_from_string(optarg, &opt.egid) < 0) {
                                error("--gid=\"%s\" invalid", optarg);
                                exit(error_exit);
                        }
                        break;
----

Best,
Chris

—
Christopher Coffey
High-Performance Computing
Northern Arizona University
928-523-1167

More information about the slurm-users mailing list