Created attachment 9046 [details] Patch This patch removes the root guards on the `--gid` option to client commands and adds group membership checking in slurmctld. For users that are members of multiple linux groups that represent their research group membership, being able to change the egid of their running job is very useful. This change allows those users to set their egid with the --gid option while still requiring membership in that group. The end effect of this patch is: $ id uid=5000(alice) gid=5000(alice) groups=5000(alice),5001(bob) $ groups alice bob $ srun -N 1 groups alice bob $ srun --gid bob -N 1 groups bob alice $ srun --gid carol -N 1 groups srun: error: Unable to allocate resources: Invalid group id The last error message is a result of the slurmctld group membership check. Other users that might be interested found on the mailing list: https://www.mail-archive.com/slurm-users@lists.schedmd.com/msg01269.html
Thank you for the submission, but I will not be accepting this. After CVE-2018-10995, our internal security stance changed and we will _only_ allow the daemons to operate on values provided directly by the auth plugin. The slurmctld is no longer permitted to manipulate extended gids to avoid a repeat of that mistake. I would recommend using the 'sg' command if your user base needs to manipulate gids in this way. There is an outstanding patch on bug 5008 that reintroduces the --gid option to sbatch, but relies on that tool under the covers, such that the MUNGE credentials match what the user would prefer. If you are interested in testing that please let me know, and I will see if I can loosen the security flags on that bug appropriately. - Tim
