You could set the setuid bit on the application and chown it to root?? It is about as secure as anything else that has been described thus far. As a system admin, I cringe at the thought of anything that would allow something to run as someone else, so there would have to be a pretty good justification for such unique use case as yours.
Randall On Wed, Sep 14, 2011 at 12:56 PM, Reuti <re...@staff.uni-marburg.de> wrote: > Am 14.09.2011 um 19:02 schrieb Blosch, Edwin L: > > > Thanks for trying. > > > > Do you feel that this is an impossible request without the assistance of > some process running as root, for example, as Reuti mentioned, the daemons > of a job scheduler? Or are you saying it will just not be as > straightforward as calling setgid as you had hoped? > > > > Also, do you think there is a way I could make use of the sg command > below? Perhaps there is a way to have the rsh/ssh launcher start the > application processes with a command like 'sg <group> <executable name>'? > > What about a half-tight integration (or call it: classic tight > integration), i.e. no recompilation necessary? > > - setup your mpiexec call in the jobscript to use a plain rsh for the > remote startup (no path given): –mca plm_rsh_agent rsh > > - the PE of SGE needs the argument -catch_rsh in start_proc_args and the > supplied script in $SGE_ROOT/mpi/startmpi.sh > > (SGE will create a symbolic link in $TMPDIR therein [which will be called > first this way] to the rsh-wrapper in $SGE_ROOT/mpi [pitfall: some > applications need a -V to be added in the lines woth "qrsh", i.e. "qrsh > -inherit -V ..." to send all environment variables to the slaves]) > > - what is your setting of qrsh_daemon/qrsh_command in `qconf -sconf`? This > will then be used finally to reach the node and should be builtin or point > to the SGE supplied rsh/rshd (no rshd necessary to install, no rshd is > running all the time, no rshd will be started by xinet.d or alike) > > - like you do already: switch off the built-in SGE starter in your mpiexec > call: -mca plm_rsh_disable_qrsh 1 > > -- Reuti > > PS: To avoid misunderstandings: you could also set "–mca plm_rsh_agent > foobar" and in $SGE_ROOT/mpi/startmpi.sh you change it to create a symbolic > link called "foobar " in $TMPDIR. It's just a name at this stage of startup. > > > > Ed > > > > > > NAME > > sg - execute command as different group ID > > > > SYNOPSIS > > sg [-] [group [-c ] command] > > > > DESCRIPTION > > The sg command works similar to newgrp but accepts a command. The > > command will be executed with the /bin/sh shell. With most shells > you > > may run sg from, you need to enclose multi-word commands in quotes. > > Another difference between newgrp and sg is that some shells treat > > newgrp specially, replacing themselves with a new instance of a > shell > > that newgrp creates. This doesn't happen with sg, so upon exit from > a > > sg command you are returned to your previous group ID. > > > > > > > > > > -----Original Message----- > > From: users-boun...@open-mpi.org [mailto:users-boun...@open-mpi.org] On > Behalf Of Ralph Castain > > Sent: Wednesday, September 14, 2011 11:33 AM > > To: Open MPI Users > > Subject: Re: [OMPI users] EXTERNAL: Re: Can you set the gid of the > processes created by mpirun? > > > > > > On Sep 14, 2011, at 9:39 AM, Blosch, Edwin L wrote: > > > >> Thanks, Ralph, > >> > >> I get the failure messages, unfortunately: > >> > >> setgid FAILED > >> setgid FAILED > >> setgid FAILED > >> > >> I actually had attempted to call setgid from within the application > previously, which looks similar to what you've done, but it failed. That was > when I initiated the post to the mailing list. My conclusion, a guess > really, was that Linux would not let me setgid from within my program > because I was not root. > > > > I was afraid of that - the documentation seemed to indicate that would be > the case, but I figured it was worth a quick try. Sorry I can't be of help. > > > > > >> > >> > >> -----Original Message----- > >> From: users-boun...@open-mpi.org [mailto:users-boun...@open-mpi.org] On > Behalf Of Ralph Castain > >> Sent: Wednesday, September 14, 2011 8:15 AM > >> To: Open MPI Users > >> Subject: Re: [OMPI users] EXTERNAL: Re: Can you set the gid of the > processes created by mpirun? > >> > >> The attached should set the gid of the remote daemons (and their > children) to the gid of mpirun. No cmd line option or anything is required - > it will just always do it. > >> > >> Would you mind giving it a try? > >> > >> Please let me know if/how it works. > >> > >> _______________________________________________ > >> users mailing list > >> us...@open-mpi.org > >> http://www.open-mpi.org/mailman/listinfo.cgi/users > > > > > > _______________________________________________ > > users mailing list > > us...@open-mpi.org > > http://www.open-mpi.org/mailman/listinfo.cgi/users > > _______________________________________________ > > users mailing list > > us...@open-mpi.org > > http://www.open-mpi.org/mailman/listinfo.cgi/users > > > _______________________________________________ > users mailing list > us...@open-mpi.org > http://www.open-mpi.org/mailman/listinfo.cgi/users > -- Randall Svancara http://knowyourlinux.com/
