[MPICH] Running on root's MPD as either root or another user

Ralph Butler rbutler at mtsu.edu
Tue Oct 2 14:04:48 CDT 2007


I am copying this response back to the mail list so Rajeev won't have  
to ask me later if this got resolved. :-)

We (MTSU) do not have per-node host/acct management.  We use FAI for  
installs, and LDAP for acct mgmt.
We also do not run mpd as root very often; sometimes for a class.   
Most of the time we have folks start their
own rings which sometimes stay up for extended periods but don't  
really hurt anything.

As for how mpd handles authentication when running as root, mpiexec  
uses mpdroot (which is setuid-root)
to determine the real user id and communicate it to the set of mpds  
that will participate in the job.  Each of
those mpds start local processes using the original user id.   That  
id is assumed to be valid everywhere.  As
I mentioned, it is valid for us via LDAP.

--ralph


On TueOct 2, at Tue Oct 2 1:51PM, Matthew Chambers wrote:

> It's good to have that mystery solved. :)
>
> I agree that users could be executing insecure code on root's MPD  
> ring, so the code should be run under the user's id instead of  
> root.  How is that id verified though?  Does the account actually  
> have to exist on the system in the POSIX sense, or is it making  
> some system call that can be intercepted and the user verification  
> could instead come from, say, an LDAP server?  I don't know much  
> about consolidating user accounts across a cluster, but it looks  
> like that's the direction I'll have to go to have non-root users  
> run.  Maintaining user accounts on every machine does not appeal to  
> me!
>
> -Matt
>
> Ralph Butler wrote:
>> That question must have gotten lost in the shuffle of dealing with  
>> the other issues.  Yes, the user must have
>> an acct on every host.  The remote processes have to run as some  
>> id.  I do not think you would want them to
>> run as root like the daemon. :-)
>>
>




More information about the mpich-discuss mailing list