> Am 22.01.2020 um 16:55 schrieb Hay, William <w....@ucl.ac.uk>:
>
> Signierter PGP-Teil
> On Tue, Jan 21, 2020 at 03:51:01PM +0000, Skylar Thompson wrote:
>> -V strips out PATH and LD_LIBRARY_PATH for security reasons, since prolog
>
> I don't think this is the case. I've just experimented with one of our 8.1.9
> clusters and I can set arbitrary PATHs run qsub -V and have the value I set
> show up in the environment of the job. More likely the job is being run with
> a shell that is configured as a login shell and the init scripts for the shell
> are stomping on the value of PATH.
Another option could be an "adjustment" of the PATH variable by a JSV.
-- Reuti
>
>> and epilog scripts run with the submission environment but possibly in the
>> context of a different user (i.e. a user could point a root-running prolog
>> script at compromised binaries or C library).
>
> This is something slightly different. The prolog and epilog used to run with
> the exact same environment as the job. This opened up an attack vector ,
> especially if the prolog or epilog were run as a privileged user rather than
> the job owner. The environment in which the prolog and eiplog
> are run is now sanitised.
>
> William
>
>
_______________________________________________
users mailing list
users@gridengine.org
https://gridengine.org/mailman/listinfo/users