Attachment #8544 for ticket #6184

Lines 12-17 documents those changes that are of interest to users and administrators. Link Here

(-)a/NEWS (+5 lines)
12	Add salloc/sbatch/srun support for optional "--no-kill=off" option to	12	Add salloc/sbatch/srun support for optional "--no-kill=off" option to
13	disable the environment variables.	13	disable the environment variables.
14	-- Fix salloc and missing SLURM_NTASKS.	14	-- Fix salloc and missing SLURM_NTASKS.
		15	-- Limit pam_slurm_adopt to run only in the sshd context by default, for
		16	security reasons. A new module option 'service=<name>' can be used to
		17	allow a different PAM applications to work. The option 'service=*' can be
		18	used to restore the old behaviour of always performing the adopt logic
		19	regardless of the PAM application context.
15		20
16	* Changes in Slurm 19.05.0pre1	21	* Changes in Slurm 19.05.0pre1
17	==============================	22	==============================

Lines 97-102 This module has the following options (* = default): Link Here

(-)a/contribs/pam_slurm_adopt/README (+9 lines)
97	0* = If the step the job is adopted into has X11 enabled, set	97	0* = If the step the job is adopted into has X11 enabled, set
98	the DISPLAY variable in the processes environment accordingly.	98	the DISPLAY variable in the processes environment accordingly.
99		99
		100	service - The pam service name for which this module should run. By default
		101	it only runs for sshd for which it was designed for. A
		102	different service name can be specified like "login" or "*" to
		103	allow the module to in any service context. For local pam logins
		104	this module could cause unexpected behaviour or even security
		105	issues. Therefore if the service name does not match then this
		106	module will not perform the adoption logic and returns
		107	PAM_IGNORE immediately.
		108
100	SLURM.CONF CONFIGURATION	109	SLURM.CONF CONFIGURATION
101	PrologFlags=contain must be set in slurm.conf. This sets up the "extern" step	110	PrologFlags=contain must be set in slurm.conf. This sets up the "extern" step
102	into which ssh-launched processes will be adopted.	111	into which ssh-launched processes will be adopted.

Lines 93-98 static struct { Link Here

(-)a/contribs/pam_slurm_adopt/pam_slurm_adopt.c (-1 / +47 lines)
93	log_level_t log_level;	93	log_level_t log_level;
94	char *node_name;	94	char *node_name;
95	bool disable_x11;	95	bool disable_x11;
		96	char *pam_service;
96	} opts;	97	} opts;
97		98
98	static void _init_opts(void)	99	static void _init_opts(void)
Lines 106-111 static void _init_opts(void) Link Here
106	opts.log_level = LOG_LEVEL_INFO;	107	opts.log_level = LOG_LEVEL_INFO;
107	opts.node_name = NULL;	108	opts.node_name = NULL;
108	opts.disable_x11 = false;	109	opts.disable_x11 = false;
		110	opts.pam_service = NULL;
109	}	111	}
110		112
111	/* Adopts a process into the given step. Returns SLURM_SUCCESS if	113	/* Adopts a process into the given step. Returns SLURM_SUCCESS if
Lines 579-584 static void _parse_opts(pam_handle_t pamh, int argc, const char *argv) Link Here
579	opts.node_name = xstrdup(v);	581	opts.node_name = xstrdup(v);
580	} else if (!xstrncasecmp(*argv, "disable_x11=1", 13)) {	582	} else if (!xstrncasecmp(*argv, "disable_x11=1", 13)) {
581	opts.disable_x11 = true;	583	opts.disable_x11 = true;
		584	} else if (!xstrncasecmp(*argv, "service=", 8)) {
		585	v = (char )(8 + argv);
		586	opts.pam_service = xstrdup(v);
582	}	587	}
583	}	588	}
584		589
Lines 593-598 static void _log_init(log_level_t level) Link Here
593	log_init(PAM_MODULE_NAME, logopts, LOG_AUTHPRIV, NULL);	598	log_init(PAM_MODULE_NAME, logopts, LOG_AUTHPRIV, NULL);
594	}	599	}
595		600
		601	/* Make sure to only continue if we're running in the sshd context
		602	*
		603	* If this module is used locally e.g. via sudo then unexpected things might
		604	* happen (e.g. passing environment variables interpreted by slurm code like
		605	* SLURM_CONF or inheriting file descriptors that are used by _try_rpc()).
		606	*/
		607	static int check_pam_service(pam_handle_t *pamh)
		608	{
		609	const char *allowed = opts.pam_service ? opts.pam_service : "sshd";
		610	char *service = NULL;
		611	int rc;
		612
		613	if (!strcmp(allowed, "*"))
		614	// any service name is allowed
		615	return PAM_SUCCESS;
		616
		617	rc = pam_get_item(pamh, PAM_SERVICE, (void*)&service);
		618
		619	if (rc != PAM_SUCCESS) {
		620	pam_syslog(pamh, LOG_ERR, "failed to obtain PAM_SERVICE name");
		621	return rc;
		622	}
		623	else if (service == NULL) {
		624	// this shouldn't actually happen
		625	return PAM_BAD_ITEM;
		626	}
		627
		628	if (!strcmp(service, allowed)) {
		629	return PAM_SUCCESS;
		630	}
		631
		632	pam_syslog(pamh, LOG_INFO, "Not adopting process since this is not an allowed pam service");
		633	return PAM_IGNORE;
		634	}
		635
596	/* Parse arguments, etc then get my socket address/port information. Attempt to	636	/* Parse arguments, etc then get my socket address/port information. Attempt to
597	* adopt this process into a job in the following order:	637	* adopt this process into a job in the following order:
598	* 1) If the user has only one job on the node, pick that one	638	* 1) If the user has only one job on the node, pick that one
Lines 613-618 PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags Link Here
613		653
614	_init_opts();	654	_init_opts();
615	_parse_opts(pamh, argc, argv);	655	_parse_opts(pamh, argc, argv);
		656
		657	retval = check_pam_service(pamh);
		658	if (retval != PAM_SUCCESS) {
		659	return retval;
		660	}
		661
616	_log_init(opts.log_level);	662	_log_init(opts.log_level);
617		663
618	switch (opts.action_generic_failure) {	664	switch (opts.action_generic_failure) {
Lines 749-754 cleanup: Link Here
749	FREE_NULL_LIST(steps);	795	FREE_NULL_LIST(steps);
750	xfree(buf);	796	xfree(buf);
751	xfree(opts.node_name);	797	xfree(opts.node_name);
		798	xfree(opts.pam_service);
752	xcgroup_fini_slurm_cgroup_conf();	799	xcgroup_fini_slurm_cgroup_conf();
753	return rc;	800	return rc;
754	}	801	}
755	-

Return to ticket 6184