Ticket 6431

Summary: Allow non-root users to use --gid.
Product: Slurm Reporter: Matt Mix <mattmix>
Component: slurmctldAssignee: Tim Wickberg <tim>
Status: RESOLVED WONTFIX QA Contact:
Severity: C - Contributions    
Priority: ---    
Version: 19.05.x   
Hardware: Linux   
OS: Linux   
See Also: https://bugs.schedmd.com/show_bug.cgi?id=5008
Site: -Other- Alineos Sites: ---
Atos/Eviden Sites: --- Confidential Site: ---
Coreweave sites: --- Cray Sites: ---
DS9 clusters: --- HPCnow Sites: ---
HPE Sites: --- IBM Sites: ---
NOAA SIte: --- OCF Sites: ---
Recursion Pharma Sites: --- SFW Sites: ---
SNIC sites: --- Linux Distro: ---
Machine Name: CLE Version:
Version Fixed: Target Release: ---
DevPrio: --- Emory-Cloud Sites: ---
Attachments: Patch

Description Matt Mix 2019-01-30 10:44:51 MST 
Created attachment 9046 [details]
Patch

This patch removes the root guards on the `--gid` option to client commands and adds group membership checking in slurmctld.

For users that are members of multiple linux groups that represent their research group membership, being able to change the egid of their running job is very useful. This change allows those users to set their egid with the --gid option while still requiring membership in that group. 

The end effect of this patch is:

$ id
uid=5000(alice) gid=5000(alice) groups=5000(alice),5001(bob) 
$ groups
alice bob
$ srun -N 1 groups
alice bob
$ srun --gid bob -N 1 groups
bob alice
$ srun --gid carol -N 1 groups
srun: error: Unable to allocate resources: Invalid group id

The last error message is a result of the slurmctld group membership check.

Other users that might be interested found on the mailing list: https://www.mail-archive.com/slurm-users@lists.schedmd.com/msg01269.html
Comment 1 Tim Wickberg 2019-01-30 12:39:19 MST 
Thank you for the submission, but I will not be accepting this.

After CVE-2018-10995, our internal security stance changed and we will _only_ allow the daemons to operate on values provided directly by the auth plugin. The slurmctld is no longer permitted to manipulate extended gids to avoid a repeat of that mistake.

I would recommend using the 'sg' command if your user base needs to manipulate gids in this way.

There is an outstanding patch on bug 5008 that reintroduces the --gid option to sbatch, but relies on that tool under the covers, such that the MUNGE credentials match what the user would prefer. If you are interested in testing that please let me know, and I will see if I can loosen the security flags on that bug appropriately.

- Tim