You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After #128 is merged, flux-imp exec will have the ability to pass arbitrary options to the job shell. Since the job shell will be running as the guest user, this opens the ability for the instance owner to modify shell behavior without explicit permission from the submitting user. This could, for example, allow the instance owner to add an --initrc= option to the shell and execute arbitrary code as guest user.
This functionality is necessary for the system instance, in order to at least supply a --reconnect option to allow for recoverable jobs after a broker restart. However, before non-system multi-user instances are supported, we should add some way to restrict the options passed down to the job shell, so that arbitrary, non-system users are limited in what options they can pass to a job shell.
For now, however, this issue would only be a problem if a non-system user was listed in allowed-usersand they were able to execute the IMP. We suggest only the system instance owner, e.g. user flux be listed in allowed-usersand that user be the only one allowed to execute flux-imp.
The text was updated successfully, but these errors were encountered:
After #128 is merged,
flux-imp execwill have the ability to pass arbitrary options to the job shell. Since the job shell will be running as the guest user, this opens the ability for the instance owner to modify shell behavior without explicit permission from the submitting user. This could, for example, allow the instance owner to add an--initrc=option to the shell and execute arbitrary code as guest user.This functionality is necessary for the system instance, in order to at least supply a
--reconnectoption to allow for recoverable jobs after a broker restart. However, before non-system multi-user instances are supported, we should add some way to restrict the options passed down to the job shell, so that arbitrary, non-system users are limited in what options they can pass to a job shell.For now, however, this issue would only be a problem if a non-system user was listed in
allowed-usersand they were able to execute the IMP. We suggest only the system instance owner, e.g. userfluxbe listed inallowed-usersand that user be the only one allowed to executeflux-imp.The text was updated successfully, but these errors were encountered: