Security / sudo configuration question

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Security / sudo configuration question

Aaron Gussman
As I understand it, in order for a user to run pipelines as themselves, the apache user must be able to passwordlessly sudo the following commands as that user:

          NOPASSWD:/path/RunWorkflow, \
          NOPASSWD:/path/qsub /path/RunWorkflow, \
          NOPASSWD:/path/ergatis/scratch/scripts/*.sh

Are all of these required?  Is there anything else I'm missing?

I'm asking because our IT has some security concerns, especially about the last sudo command.  If anyone has advice or experience on making ergatis more secure, I'd appreciate it.

Thanks,
Aaron

------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Ergatis-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/ergatis-users
Reply | Threaded
Open this post in threaded view
|

Re: Security / sudo configuration question

Joshua Orvis
Aaron,

Only two of the three are required, depending on your configuration.  If your

If your 'submit_pipelines_as_jobs' parameter (in ergatis.ini) is set to 0 then you'll need the first sudo but not the second and vice versa if that parameter is set to 1.  The third is always required.  Keep in mind though that the only user that needs these sudo priviledges is the user that's running the web server, so if you make the '/path/ergatis/scratch/scripts/' directory owned by that user and 700 you should be OK.  No other users even need to view the contents of that directory.

The one way I know if users getting around this setup is to run their own copies of the interface locally where apache is running as one of their own processes.  This is less ideal because you have lots of copies of the interface code everywhere, but it's one approach.

Joshua


2010/8/5 Aaron Gussman <[hidden email]>
As I understand it, in order for a user to run pipelines as themselves, the apache user must be able to passwordlessly sudo the following commands as that user:

          NOPASSWD:/path/RunWorkflow, \
          NOPASSWD:/path/qsub /path/RunWorkflow, \
          NOPASSWD:/path/ergatis/scratch/scripts/*.sh

Are all of these required?  Is there anything else I'm missing?

I'm asking because our IT has some security concerns, especially about the last sudo command.  If anyone has advice or experience on making ergatis more secure, I'd appreciate it.

Thanks,
Aaron

------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Ergatis-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/ergatis-users



------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Ergatis-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/ergatis-users
Reply | Threaded
Open this post in threaded view
|

Re: Security / sudo configuration question

Aaron Gussman
Hi Joshua,
  Thanks for the info.  One follow up question: if submit_pipelines_as_jobs is set to 0, then ergatis/scratch/scripts/ can be local to the apache host, but if it's 1 then it'll have to be on a filesystem that's accessible by the SGE nodes, right?

Thanks,
Aaron

2010/8/6 Joshua Orvis <[hidden email]>
Aaron,

Only two of the three are required, depending on your configuration.  If your

If your 'submit_pipelines_as_jobs' parameter (in ergatis.ini) is set to 0 then you'll need the first sudo but not the second and vice versa if that parameter is set to 1.  The third is always required.  Keep in mind though that the only user that needs these sudo priviledges is the user that's running the web server, so if you make the '/path/ergatis/scratch/scripts/' directory owned by that user and 700 you should be OK.  No other users even need to view the contents of that directory.

The one way I know if users getting around this setup is to run their own copies of the interface locally where apache is running as one of their own processes.  This is less ideal because you have lots of copies of the interface code everywhere, but it's one approach.

Joshua


2010/8/5 Aaron Gussman <[hidden email]>
As I understand it, in order for a user to run pipelines as themselves, the apache user must be able to passwordlessly sudo the following commands as that user:

          NOPASSWD:/path/RunWorkflow, \
          NOPASSWD:/path/qsub /path/RunWorkflow, \
          NOPASSWD:/path/ergatis/scratch/scripts/*.sh

Are all of these required?  Is there anything else I'm missing?

I'm asking because our IT has some security concerns, especially about the last sudo command.  If anyone has advice or experience on making ergatis more secure, I'd appreciate it.

Thanks,
Aaron

------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Ergatis-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/ergatis-users



------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Ergatis-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/ergatis-users



------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Ergatis-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/ergatis-users
Reply | Threaded
Open this post in threaded view
|

Re: Security / sudo configuration question

Joshua Orvis
Aaron -

That's exactly right.

JO



2010/8/6 Aaron Gussman <[hidden email]>
Hi Joshua,
  Thanks for the info.  One follow up question: if submit_pipelines_as_jobs is set to 0, then ergatis/scratch/scripts/ can be local to the apache host, but if it's 1 then it'll have to be on a filesystem that's accessible by the SGE nodes, right?

Thanks,
Aaron

2010/8/6 Joshua Orvis <[hidden email]>

Aaron,

Only two of the three are required, depending on your configuration.  If your

If your 'submit_pipelines_as_jobs' parameter (in ergatis.ini) is set to 0 then you'll need the first sudo but not the second and vice versa if that parameter is set to 1.  The third is always required.  Keep in mind though that the only user that needs these sudo priviledges is the user that's running the web server, so if you make the '/path/ergatis/scratch/scripts/' directory owned by that user and 700 you should be OK.  No other users even need to view the contents of that directory.

The one way I know if users getting around this setup is to run their own copies of the interface locally where apache is running as one of their own processes.  This is less ideal because you have lots of copies of the interface code everywhere, but it's one approach.

Joshua


2010/8/5 Aaron Gussman <[hidden email]>
As I understand it, in order for a user to run pipelines as themselves, the apache user must be able to passwordlessly sudo the following commands as that user:

          NOPASSWD:/path/RunWorkflow, \
          NOPASSWD:/path/qsub /path/RunWorkflow, \
          NOPASSWD:/path/ergatis/scratch/scripts/*.sh

Are all of these required?  Is there anything else I'm missing?

I'm asking because our IT has some security concerns, especially about the last sudo command.  If anyone has advice or experience on making ergatis more secure, I'd appreciate it.

Thanks,
Aaron

------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Ergatis-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/ergatis-users



------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Ergatis-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/ergatis-users



------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Ergatis-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/ergatis-users



------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Ergatis-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/ergatis-users