Just a thought but what about Apache's suexec?
http://httpd.apache.org/docs/1.3/suexec.html
-Steve
On May 30, 2008, at 7:33 AM, Prakash Velayutham wrote:
Thanks for all your responses.
I think the solution Jan suggested would be nice to implement and
least exploitable. Please correct me if I am wrong.
Jan,
Do you have a skeleton code that you would be willing to provide?
Is this C-based?
Thanks again,
Prakash
On May 29, 2008, at 6:30 PM, Jan Ploski wrote:
Joshua Bernstein wrote:
On May 29, 2008, at 3:10 PM, Prakash Velayutham wrote:
Hi All,
This is not a Torque or Maui question, but I am very positive
that some of the bright guys here have this already setup in
some form or the other.
We have a PHP-based web application which has a compute portion
which we want to ship out to our compute cluster. Also, the PHP
application is secure, meaning, only authenticated users can
submit jobs.
My question is, how can I make the submitted jobs run as the
logged in user and not the generic Apache user (wwwrun or www or
somebody else based on the distro)?
It should be fairly straight forward to have the PHP/Apache
application construct a job script. When the PHP scripts goes to
qsub the script, instead of just doing a system("qsub..."), You
should perhaps fork() and then setuid() to the username of user
running the job. TORQUE would therefore see the job being
submitted as the user rather then the www-data, or whatever user
the web server is running as. I could see an issue though where
the web user might not be able to setuid() to another user. I'd
hesitate to run the web server with setuid privileges... Hmmm, it
is a start though.
I solved a similar problem by implementing a little daemon process
which runs as root (and so can su to whatever user you wish) and
monitors a spool directory to which the unprivileged user (such as
wwwrun) has write access. The unprivileged user's process writes a
request file and notifies the daemon (by making a connection to a
TCP socket, another IPC mechanism could be used, too).
You could also add wwwrun to sudoers, but that would be less secure.
Regards,
Jan Ploski
_______________________________________________
torqueusers mailing list
[EMAIL PROTECTED]
http://www.supercluster.org/mailman/listinfo/torqueusers
Prakash Velayutham
Programmer / Analyst
Cincinnati Children's Hospital Medical Center
_______________________________________________
mauiusers mailing list
[email protected]
http://www.supercluster.org/mailman/listinfo/mauiusers
_______________________________________________
mauiusers mailing list
[email protected]
http://www.supercluster.org/mailman/listinfo/mauiusers
