Based on following thread, I am trying to send a job under another user.
I am logged in as the main_user
, and slurm jobs are submit via main_user
that can do rm -rf /home/main_user
that is pretty dangerous.
In order to prevent this I want to run a job under another user's permission under the main_user
's directory. I think that if I am able managed to submit the job through newly created user
, that user has no permission to alter into any of my files, expect the folder that the user is running his job.
Creating a new user:
sudo useradd -m newuser -d /home/newuser
sacctmgr add account newuser --immediate
sacctmgr create user newuser defaultaccount=newuser adminlevel=[None] --immediate
Approach 1: Running as newUser under main_user's directory:
$ cd pathToRunMyJob
$ sudo chown -R newuser:newuser .
$ id -u newuser
1004
$ sbatch --uid=1004 run.sh
Approach 2: running job inside newly created user's folder under home
directory:
$ cd /home/newuser
$ id -u newuser
1004
$ sbatch --uid=1004 run.sh
But now I am having following pending message:
JOBID PARTITION NAME USER ST TIME NODES NODELIST(REASON)
602 debug run.sh deneme PD 0:00 1 (launch failed requeued held)
Update:
I have tried to submit a job under another user via using @Dmitri Chubarov' comment:
sudo su - newuser ; sbatch run.sh
That seems like solution. After I did sudo su - newuser
then sbatch run.sh
, it prevents newuser
's source code to change other users' folders.
Also, I just want to prevent a user not to access any important data stored by any other user. chmod go-rwx /home/*
or chmod 700 ~/*
makes other users' folder unaccessible; could it be a helpful solution?
But after I do sbatch run.sh , I get following message: Submitted batch job *** ; but submitted job does not show up on squeue and the job does not launch on Slurm.
Often, that indicates that newuser
is not known on the compute node. you have to run the useradd
command on all compute nodes as well. But that should be clear from the Slurm log filles.
Also, I just want to prevent a user not to access any important data stored by any other user. chmod go-rwx /home/* or chmod 700 ~/* makes other users' folder unaccessible; could it be a helpful solution?
Yes, chmod go-rwx /home/*
would be the way to go.