Bug 615492

Summary: starter hooks, HOOK_UPDATE_JOB_INFO and HOOK_JOB_EXIT not run as job owner
Product: Red Hat Enterprise MRG Reporter: Matthew Farrellee <matt>
Component: condorAssignee: Matthew Farrellee <matt>
Status: CLOSED ERRATA QA Contact: Tomas Rusnak <trusnak>
Severity: high Docs Contact:
Priority: high    
Version: 1.2CC: fnadge, ltoscano, trusnak
Target Milestone: 1.3   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, hooks that ran by the starter did not have the proper user privileges. With this update, all hooks are run with the job submit user privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-14 16:09:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Farrellee 2010-07-16 20:09:54 UTC 
Description of problem:

Extension of Bug 561955. Hooks run by the starter should be run with user privs.


Version-Release number of selected component (if applicable):

Certainly 7.4.4-0.4


How reproducible:

100%


Steps to Reproduce:
1. Setup hook scripts

PRIV_HOOK_REPLY_FETCH = /opt/hook-privs/hook_reply.sh
PRIV_HOOK_EVICT_CLAIM = /opt/hook-privs/hook_evict.sh
PRIV_HOOK_PREPARE_JOB = /opt/hook-privs/hook_prepare.sh
PRIV_HOOK_UPDATE_JOB_INFO = /opt/hook-privs/hook_update_job_info.sh
PRIV_HOOK_JOB_EXIT = /opt/hook-privs/hook_job_exit.sh
STARTER_DEBUG = D_SYSCALLS D_FULLDEBUG D_PRIV

$ cat /opt/hook-privs/hook_*.sh
#!/bin/sh
LOG=/tmp/hook-priv.log
echo -n $0 - >> $LOG
id >> $LOG
exit 0


2. Submit a job to use the PRIV hooks.

echo 'cmd=/bin/sleep\nargs=1d\n+hookkeyword="priv"\nqueue' | condor_submit


3. Watch the priv state switching in the StarterLog.slot* and output in /tmp/hook-priv.log


Actual results:

$ cat /tmp/hook-priv.log 
/opt/hook-privs/hook_prepare.sh -uid=500(matt) gid=500(matt) groups=500(matt) context=user_u:system_r:unconfined_execmem_t
/opt/hook-privs/hook_update_job_info.sh -uid=64(condor) gid=64(condor) groups=500(matt) context=user_u:system_r:unconfined_execmem_t
/opt/hook-privs/hook_job_exit.sh -uid=64(condor) gid=64(condor) groups=500(matt) context=user_u:system_r:unconfined_execmem_t


Expected results:

$ cat /tmp/hook-priv.log 
/opt/hook-privs/hook_prepare.sh -uid=500(matt) gid=500(matt) groups=500(matt) context=user_u:system_r:unconfined_execmem_t
/opt/hook-privs/hook_update_job_info.sh -uid=500(matt) gid=500(matt) groups=500(matt) context=user_u:system_r:unconfined_execmem_t
/opt/hook-privs/hook_job_exit.sh -uid=500(matt) gid=500(matt) groups=500(matt) context=user_u:system_r:unconfined_execmem_t
Comment 1 Matthew Farrellee 2010-07-16 20:32:08 UTC 
Note: make sure /tmp/hook-priv.log has chmod a+rw and is created before the job is submitted
Comment 2 Matthew Farrellee 2010-07-16 23:28:10 UTC 
https://condor-wiki.cs.wisc.edu/index.cgi/tktview?tn=1510

Built post 7.4.4-0.4
Comment 3 Tomas Rusnak 2010-08-05 13:24:11 UTC 
Reproduced on:

$CondorVersion: 7.4.4 Jun 30 2010 BuildID: RH-7.4.4-0.4.el5 PRE-RELEASE $
$CondorPlatform: I386-LINUX_RHEL5 $

Results:
/opt/hook-privs/hook_prepare.sh -uid=500(test) gid=500(test) groups=500(test) context=root:system_r:unconfined_execmem_t
/opt/hook-privs/hook_update_job_info.sh -uid=64(condor) gid=64(condor) groups=500(test) context=root:system_r:unconfined_execmem_t
/opt/hook-privs/hook_job_exit.sh -uid=64(condor) gid=64(condor) groups=500(test) context=root:system_r:unconfined_execmem_t
Comment 4 Tomas Rusnak 2010-08-06 08:15:36 UTC 
Tested on:

$CondorVersion: 7.4.4 Aug  5 2010 BuildID: RH-7.4.4-0.8.el4 PRE-RELEASE $
$CondorPlatform: X86_64-LINUX_RHEL4 $

$CondorVersion: 7.4.4 Aug  5 2010 BuildID: RH-7.4.4-0.8.el4 PRE-RELEASE $
$CondorPlatform: I386-LINUX_RHEL4 $

$CondorVersion: 7.4.4 Aug  5 2010 BuildID: RH-7.4.4-0.8.el5 PRE-RELEASE $
$CondorPlatform: X86_64-LINUX_RHEL5 $

$CondorVersion: 7.4.4 Aug  5 2010 BuildID: RH-7.4.4-0.8.el5 PRE-RELEASE $
$CondorPlatform: I386-LINUX_RHEL5 $

/opt/hook-privs/hook_prepare.sh -uid=500(test) gid=500(test) groups=500(test) context=root:system_r:unconfined_execmem_t
/opt/hook-privs/hook_job_exit.sh -uid=500(test) gid=500(test) groups=500(test) context=root:system_r:unconfined_execmem_t

All hooks runs under job submit user priviledges, now.

>>> VERIFIED
Comment 5 Florian Nadge 2010-10-07 15:21:18 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, hooks that ran by the starter didn't have the proper user privileges. With this update, all hooks run under job submit user privileges, now.
Comment 6 Martin Prpič 2010-10-10 09:57:44 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-Previously, hooks that ran by the starter didn't have the proper user privileges. With this update, all hooks run under job submit user privileges, now.+Previously, hooks that ran by the starter did not have the proper user privileges. With this update, all hooks are run with the job submit user privileges.
Comment 8 errata-xmlrpc 2010-10-14 16:09:02 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0773.html