slurmsbatch

slurm: How to submit a job under another user and prevent to read other users' files?

Based on following thread, I am trying to send a job under another user.

I am logged in as the main_user, and slurm jobs are submit via main_user that can do rm -rf /home/main_user that is pretty dangerous.

In order to prevent this I want to run a job under another user's permission under the main_user's directory. I think that if I am able managed to submit the job through newly created user, that user has no permission to alter into any of my files, expect the folder that the user is running his job.

Creating a new user:

sudo useradd -m newuser -d /home/newuser
sacctmgr add account newuser --immediate
sacctmgr create user newuser  defaultaccount=newuser adminlevel=[None] --immediate

Approach 1: Running as newUser under main_user's directory:

$ cd pathToRunMyJob
$ sudo chown -R newuser:newuser .
$ id -u newuser
1004
$ sbatch  --uid=1004 run.sh

Approach 2: running job inside newly created user's folder under home directory:

$ cd /home/newuser
$ id -u newuser
1004
$ sbatch --uid=1004 run.sh

But now I am having following pending message:

JOBID PARTITION   NAME     USER ST       TIME  NODES NODELIST(REASON)
  602     debug   run.sh   deneme PD     0:00      1 (launch failed requeued held)

Update:

I have tried to submit a job under another user via using @Dmitri Chubarov' comment:

sudo su - newuser ; sbatch run.sh

That seems like solution. After I did sudo su - newuser then sbatch run.sh , it prevents newuser 's source code to change other users' folders.

Also, I just want to prevent a user not to access any important data stored by any other user. chmod go-rwx /home/* or chmod 700 ~/* makes other users' folder unaccessible; could it be a helpful solution?

Solution

  • But after I do sbatch run.sh , I get following message: Submitted batch job *** ; but submitted job does not show up on squeue and the job does not launch on Slurm.

    Often, that indicates that newuser is not known on the compute node. you have to run the useradd command on all compute nodes as well. But that should be clear from the Slurm log filles.

    Also, I just want to prevent a user not to access any important data stored by any other user. chmod go-rwx /home/* or chmod 700 ~/* makes other users' folder unaccessible; could it be a helpful solution?

    Yes, chmod go-rwx /home/* would be the way to go.