Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
slurm.32296
U_17-Expose-drop_privileges-reclaim_privileges....
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_17-Expose-drop_privileges-reclaim_privileges.patch of Package slurm.32296
From: Tim Wickberg <tim@schedmd.com> Date: Wed Oct 11 12:45:25 2023 -0600 Subject: [PATCH 17/19]Expose drop_privileges() / reclaim_privileges(). Patch-mainline: Upstream Git-repo: https://github.com/SchedMD/slurm Git-commit: d581d07d836231a236c86c8306764402c3a13382 References: bsc#1216207 Signed-off-by: Egbert Eich <eich@suse.de> --- src/slurmd/slurmstepd/mgr.c | 55 +++++++++++++++++---------------------------- src/slurmd/slurmstepd/mgr.h | 12 ++++++++++ 2 files changed, 33 insertions(+), 34 deletions(-) diff --git a/src/slurmd/slurmstepd/mgr.c b/src/slurmd/slurmstepd/mgr.c index 8bd65c68b2..4cba2adbb8 100644 --- a/src/slurmd/slurmstepd/mgr.c +++ b/src/slurmd/slurmstepd/mgr.c @@ -123,14 +123,6 @@ #define RETRY_DELAY 15 /* retry every 15 seconds */ #define MAX_RETRY 240 /* retry 240 times (one hour max) */ -struct priv_state { - uid_t saved_uid; - gid_t saved_gid; - gid_t * gid_list; - int ngids; - char saved_cwd [4096]; -}; - step_complete_t step_complete = { PTHREAD_COND_INITIALIZER, PTHREAD_MUTEX_INITIALIZER, @@ -169,9 +161,6 @@ static int _fork_all_tasks(stepd_step_rec_t *job, bool *io_initialized); static int _become_user(stepd_step_rec_t *job, struct priv_state *ps); static void _set_prio_process (stepd_step_rec_t *job); static int _setup_normal_io(stepd_step_rec_t *job); -static int _drop_privileges(stepd_step_rec_t *job, bool do_setuid, - struct priv_state *state, bool get_list); -static int _reclaim_privileges(struct priv_state *state); static void _send_launch_resp(stepd_step_rec_t *job, int rc); static int _slurmd_job_log_init(stepd_step_rec_t *job); static void _wait_for_io(stepd_step_rec_t *job); @@ -460,7 +449,7 @@ _setup_normal_io(stepd_step_rec_t *job) * descriptors (which may be connected to files), then * reclaim privileges. */ - if (_drop_privileges(job, true, &sprivs, true) < 0) + if (drop_privileges(job, true, &sprivs, true) < 0) return ESLURMD_SET_UID_OR_GID_ERROR; if (io_init_tasks_stdio(job) != SLURM_SUCCESS) { @@ -574,7 +563,7 @@ _setup_normal_io(stepd_step_rec_t *job) } claim: - if (_reclaim_privileges(&sprivs) < 0) { + if (reclaim_privileges(&sprivs) < 0) { error("sete{u/g}id(%lu/%lu): %m", (u_long) sprivs.saved_uid, (u_long) sprivs.saved_gid); } @@ -941,12 +930,12 @@ static void *_x11_signal_handler(void *arg) switch (sig) { case SIGTERM: /* kill -15 */ debug("Terminate signal (SIGTERM) received"); - if (_drop_privileges(job, true, &sprivs, false) < 0) { + if (drop_privileges(job, true, &sprivs, false) < 0) { error("Unable to drop privileges"); return NULL; } shutdown_x11_forward(job); - if (_reclaim_privileges(&sprivs) < 0) + if (reclaim_privileges(&sprivs) < 0) error("Unable to reclaim privileges"); return NULL; /* Normal termination */ break; @@ -986,7 +975,7 @@ static int _spawn_job_container(stepd_step_rec_t *job) if (job->x11) { struct priv_state sprivs = { 0 }; - if (_drop_privileges(job, true, &sprivs, false) < 0) { + if (drop_privileges(job, true, &sprivs, false) < 0) { error ("Unable to drop privileges"); return SLURM_ERROR; } @@ -995,7 +984,7 @@ static int _spawn_job_container(stepd_step_rec_t *job) error("x11 port forwarding setup failed"); _exit(127); } - if (_reclaim_privileges(&sprivs) < 0) { + if (reclaim_privileges(&sprivs) < 0) { error ("Unable to reclaim privileges"); return SLURM_ERROR; } @@ -1432,7 +1421,7 @@ static int _pre_task_child_privileged( int setwd = 0; /* set working dir */ int rc = 0; - if (_reclaim_privileges(sp) < 0) + if (reclaim_privileges(sp) < 0) return SLURM_ERROR; #ifndef HAVE_NATIVE_CRAY @@ -1455,9 +1444,9 @@ static int _pre_task_child_privileged( return error("spank_task_init_privileged failed"); /* sp->gid_list should already be initialized */ - rc = _drop_privileges(job, true, sp, false); + rc = drop_privileges(job, true, sp, false); if (rc) { - error ("_drop_privileges: %m"); + error ("drop_privileges: %m"); return rc; } @@ -1694,7 +1683,7 @@ _fork_all_tasks(stepd_step_rec_t *job, bool *io_initialized) * Temporarily drop effective privileges, except for the euid. * We need to wait until after pam_setup() to drop euid. */ - if (_drop_privileges (job, false, &sprivs, true) < 0) + if (drop_privileges (job, false, &sprivs, true) < 0) return ESLURMD_SET_UID_OR_GID_ERROR; if (pam_setup(job->user_name, conf->hostname) @@ -1706,7 +1695,7 @@ _fork_all_tasks(stepd_step_rec_t *job, bool *io_initialized) /* * Reclaim privileges to do the io setup */ - _reclaim_privileges (&sprivs); + reclaim_privileges(&sprivs); if (rc) goto fail1; /* pam_setup error */ @@ -1753,8 +1742,8 @@ _fork_all_tasks(stepd_step_rec_t *job, bool *io_initialized) /* * Temporarily drop effective privileges */ - if (_drop_privileges (job, true, &sprivs, true) < 0) { - error ("_drop_privileges: %m"); + if (drop_privileges (job, true, &sprivs, true) < 0) { + error ("drop_privileges: %m"); rc = SLURM_ERROR; goto fail2; } @@ -1811,7 +1800,7 @@ _fork_all_tasks(stepd_step_rec_t *job, bool *io_initialized) * Reclaim privileges for the child and call any plugin * hooks that may require elevated privs * sprivs.gid_list is already set from the - * _drop_privileges call above, no not reinitialize. + * drop_privileges call above, no not reinitialize. * NOTE: Only put things in here that are self contained * and belong in the child. */ @@ -1876,7 +1865,7 @@ _fork_all_tasks(stepd_step_rec_t *job, bool *io_initialized) /* * Reclaim privileges */ - if (_reclaim_privileges (&sprivs) < 0) { + if (reclaim_privileges(&sprivs) < 0) { error ("Unable to reclaim privileges"); /* Don't bother erroring out here */ } @@ -1976,7 +1965,7 @@ fail4: error ("Unable to return to working directory"); } fail3: - _reclaim_privileges (&sprivs); + reclaim_privileges (&sprivs); fail2: FREE_NULL_LIST(exec_wait_list); io_close_task_fds(job); @@ -2531,9 +2520,8 @@ _send_complete_batch_script_msg(stepd_step_rec_t *job, int err, int status) /* If get_list is false make sure ps->gid_list is initialized before * hand to prevent xfree. */ -static int -_drop_privileges(stepd_step_rec_t *job, bool do_setuid, - struct priv_state *ps, bool get_list) +extern int drop_privileges(stepd_step_rec_t *job, bool do_setuid, + struct priv_state *ps, bool get_list) { ps->saved_uid = getuid(); ps->saved_gid = getgid(); @@ -2583,8 +2571,7 @@ _drop_privileges(stepd_step_rec_t *job, bool do_setuid, return SLURM_SUCCESS; } -static int -_reclaim_privileges(struct priv_state *ps) +extern int reclaim_privileges(struct priv_state *ps) { int rc = SLURM_SUCCESS; @@ -2829,8 +2816,8 @@ _run_script_as_user(const char *name, const char *path, stepd_step_rec_t *job, argv[1] = NULL; sprivs.gid_list = NULL; /* initialize to prevent xfree */ - if (_drop_privileges(job, true, &sprivs, false) < 0) { - error("run_script_as_user _drop_privileges: %m"); + if (drop_privileges(job, true, &sprivs, false) < 0) { + error("run_script_as_user drop_privileges: %m"); /* child process, should not return */ exit(127); } diff --git a/src/slurmd/slurmstepd/mgr.h b/src/slurmd/slurmstepd/mgr.h index 4b5808661a..a82ab90256 100644 --- a/src/slurmd/slurmstepd/mgr.h +++ b/src/slurmd/slurmstepd/mgr.h @@ -85,4 +85,16 @@ int job_manager(stepd_step_rec_t *job); extern void init_initgroups(int); +struct priv_state { + uid_t saved_uid; + gid_t saved_gid; + gid_t *gid_list; + int ngids; + char saved_cwd[4096]; +}; + +extern int drop_privileges(stepd_step_rec_t *step, bool do_setuid, + struct priv_state *state, bool get_list); +extern int reclaim_privileges(struct priv_state *state); + #endif
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor