Content-type: text/html Manpage of GLEXEC

GLEXEC

Section: gLite (1)
Updated: February 2009
Index Return to Main Contents

 

NAME

gLExec - Execute a command with different privileges based on one's credentials

 

SYNOPSIS

glexec <cmd> [args]

(deprecated) glexec <target uid, target gid, cmd> [args]

 

DESCRIPTION

gLExec takes as input a user credential or X.509 proxy and passes this information on to both lcas(1) and lcmaps(1) for authentication and authorization. It is those two components that determine the validity of the credentials and based on the configurations decide the mapping to a local Unix account. However, before this information is passed on, gLExec has various checks in place to ensure user safety. Once the mapping has been determined, gLExec performs some last checks to make sure all is well and will execute the command as specified, with the credentials of the local Unix user.

gLExec clears all but a few environment variables. The set of variables that are not cleared are:

GLEXEC_*
TZ
X509_USER_PROXY

Even though the PATH environment variable is cleared by gLExec, it is also restored with safe values, i.e. /usr/local/bin:/usr/bin:/bin. This means that in the environment of the command executed by gLExec, the PATH environment variable is set to '/usr/local/bin:/usr/bin:/bin'.

In addition to the automatic preservation of the above mentioned variables, the following variables are set up for the user execution environment such that they can be used and have meaningful information when the requested command is executed by gLExec, i.e. after the user identity switch has taken place:

HOME
X509_USER_PROXY
Note on the X509_USER_PROXY variable (See under ENVIRONMENT for a full description of all the environment variables): This variable is set up by gLExec, for the real user job, but it is also used by LCAS and LCMAPS to locate the proxy owned by the user. In this LCAS/LCMAPS case, both GLEXEC_CLIENT_CERT and X509_USER_PROXY will contain the same path to the same proxy. Once the identity has been determined and the switch to that identity established, the environment variable X509_USER_PROXY will contain the path of the proxy that belongs to the real user job (i.e. the value of $GLEXEC_TARGET_PROXY or $HOME/.glexec/proxy). This only happens when a proxy is supplied through the GLEXEC_SOURCE_PROXY environment variable. At the same time the contents of this file pointed to by GLEXEC_SOURCE_PROXY gets copied into the file pointed to by the new value of the X509_USER_PROXY variable.

 

OPTIONS

-h
Display usage info.
-V
How am I compiled? Shows the values of the constants that can be changed at compile time. This options works only when the calling user is root.
-v
Display version of gLExec.

 

ENVIRONMENT -- for gLExec

GLEXEC_MODE
Set gLExec in either of two modes:
lcmaps_get_account -- Normally, one operates gLExec in this mode and this makes sure that LCMAPS acquires all resources necessary to get an account. The arguments for gLExec in this mode are the command and its arguments.

(deprecated) lcmaps_verify_account -- The same as above, except necessary resources are not allocated and LCMAPS will only return the uid and gui for the mapping. The arguments for gLExec in this mode are first the target uid and target gid, followed by the command and its arguments.
Note: Setting lcmaps_verify_account will trigger a user error. If you really need this functionality, please contact us (the developers) to find another solution or to restore the support for this functionality.

In case the GLEXEC_MODE is not set, gLExec assumes lcmaps_get_account.

GLEXEC_CLIENT_CERT
Path to a proxy that gLExec, or rather LCMAPS, will use to base the identity switching on. This replaces the SSL_CLIENT_CERT variable. Instead of the certificate itself, GLEXEC_CLIENT_CERT contains the path to the certificate.
GLEXEC_SOURCE_PROXY
Path to a proxy that the real user job can use. gLExec will copy this proxy to the home directory of the mapped user and name it $HOME/.glexec/proxy. To change this location, use the GLEXEC_TARGET_PROXY environment variable.
GLEXEC_TARGET_PROXY
(optional) Specifies the path where the real user job proxy will be copied to. If unset the default $HOME/.glexec/proxy is used. see also GLEXEC_SOURCE_PROXY.
SSL_CLIENT_CERT
(deprecated) Old style of passing a certificate. This variable contains the whole certificate and not a path to a certificate.
Note: the use of this variable is no longer supported. It is error prone and now also removed from gLExec completely. Use GLEXEC_CLIENT_CERT instead.
GLEXEC_ID
(Optional) Extra ID for logging purposes. It is used to make messages from LCAS and LCMAPS more unique.

 

ENVIRONMENT -- for executable

The following environment variables are set up during the execution of gLExec and are meant to have sensible meaning in the execution environment of the requested command:

HOME

set to the mapped user's home directory, e.g. /home/pool0001

X509_USER_PROXY

set to the location of the copied proxy. So if the environment variable GLEXEC_TARGET_PROXY has been specified, the value of X509_USER_PROXY will be the same as GLEXEC_TARGET_PROXY, while in case GLEXEC_TARGET_PROXY was not defined, the default value is used, i.e. $HOME/.glexec/proxy

 

RETURN VALUES

Upon successful execution of a program, the return value from gLExec will simply be the return value of the program that was executed. Otherwise, gLExec quits with the following limited range of return values:

201 - Client error:
This error code is triggered when the user (caller of gLExec) has to change something in order for gLExec to be able to succeed. Some example situations: the input files (like proxy certificates) might have the wrong permissions or do not exist; the executable to be executed doesn't exist or has unacceptable file permissions.

202 - Internal gLExec error:
This error code has to be handled by the system administrator of the machine. This might be due to wrong permission bits on the configuration file, initialization errors of LCAS and/or LCMAPS or other system specific errors that can only be addressed by somebody with sufficient rights on the machine.

203 - Authorization error:
Everything went ok, but the user is not authorized. This could be triggered because the calling process was not in the white list and therefore not privileged to use gLExec. The other reason is that LCAS and/or LCMAPS failed to authorize the (real) user and gain an account mapping.

204 - Child return value overlap:
This error code is triggered when gLExec is in linger mode (activated by default) and when the called child process returns an exit code that overlaps with one of the error code numbers 201, 202, 203 and 204.

126 - Shell returns that the executable can't be executed:
This error code is triggered when the execv() call failed to execute the command, because of permission, execution or system problems found during the call for the executable that was tried to be set up. The shell code is not caught, but forwarded as an error code from the actual child process.

 

FILES

/opt/glite/etc/glexec.conf

 

BUGS

Files are properly locked to avoid the class of racing conditions which might lead to the injecting of links or accepting wrong permissions and ownerships. However this mechanism does not work on NFS file systems, where the locking will fail. See flock(2) for more details.

 

LIBRARY PATH NOTES

The effective library path of the system and shell must be able to locate the required runtime libraries for gLExec itself, LCAS, LCMAPS and their dynamically loaded plug-ins. In an ideal world this would mean to have all the required libraries be installed in system native locations on the file system. In practice you are required to add the paths /opt/globus/lib/ and /opt/glite/lib/ to the run-time library search paths. Since gLExec is a setuid application, LD_LIBRARY_PATH is ignored, so this leaves adding the path to the /etc/ld.so.conf{.d/glite} file or directory or hoping for a correctly applied set of RPATH values in the libraries. When using a version built by Etics, only the ld.so.conf option is available since Etics strips the RPATH values in the libraries. If you build all the components from source without Etics, these rpaths take precedence.

 

SEE ALSO

glexec.conf(5), lcas(1), lcmaps(1), x509(1), flock(2), fcntl(2)

 

AUTHORS

Written by Oscar Koeroo & Mischa Sall'e (from Jan 2009)
Written by Gerben Venekamp (until Jan 2009)

 

COPYRIGHT

Copyright © 2009, EGEE


 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
ENVIRONMENT -- for gLExec
ENVIRONMENT -- for executable
RETURN VALUES
FILES
BUGS
LIBRARY PATH NOTES
SEE ALSO
AUTHORS
COPYRIGHT

This document was created by man2html, using the manual pages.
Time: 10:14:01 GMT, May 15, 2009