GLEXEC.CONF

NAME
DESCRIPTION
EXAMPLES
INSTALLATION
FILES
BUGS
SEE ALSO
AUTHORS
COPYRIGHT

NAME

glexec.conf - configuration file for gLExec

DESCRIPTION

The gLExec configuration file is a standard .ini file and by default located at ’/opt/glite/etc/glexec.conf’. All gLExec specific settings have to be listed under the [glexec] tag and although other tags are allowed, non other than [glexec] are taken into account.

The following key value pairs are currently understood by gLExec.

[glexec]

linger = {yes,no}

it controls the behaviour of gLExec when it executes the real user job. gLExec either forks, runs the real user job in the child and wait for it to return, i.e. gLExec is said to linger, or gLExec will load the image of the real user job over that of itself, in which case it does not linger.

lock_mechanism = {flock,fcntl,disabled} (deprecated)

use target_lock_mechanism instead.

target_lock_mechanism = {flock,fcntl,disabled}

this option specifies the type of file locking used when writing the target proxy. By default flock(2) will be used. In addition fcntl(2) can be selected, which works better over NFS. Thirdly the locking mechanism can be disabled.

input_lock_mechanism = {flock,fcntl,disabled}

this option specifies the type of file locking used when reading the input proxies, i.e.the GLEXEC_CLIENT_CERT and the GLEXEC_SOURCE_PROXY. By default flock(2) will be used. In addition fcntl(2) can be selected, which works better over NFS. Thirdly the locking mechanism can be disabled.

log_destination = {syslog,file}

tells where gLExec should send its logging information to. The default is syslog. For value file see also next key log_file.

log_file

Specify which file gLExec should use in case file has been chosen as log destination. This key has only meaning when the key log_destination is set to file.

log_level = {1,...,5}

set the log level of gLExec. Higher means more logging, highest level includes debug information. Default is level 3.

silent_logging = {yes,no}

turn off/on logging of gLExec. Default: No.

omission_private_key_white_list

List of comma separated user names that do not have to present a private key in their certificate when calling gLExec (note: this applies only to the certificate or proxy that will be used for authentication and authorization of the users calling gLExec, i.e. the GLEXEC_CLIENT_CERT, and not the one that can be copied by gLExec).

preserve_env_variables

List of comma separated environment variables that gLExec need to preserve in addition to the set of environment variables that is preserved by default. Each name is matched a whole, case-sensitive, string match.
Note:
Please note that not all environment variables can be preserved due to the way the linker might work. In case of setuid executables, LD_LIBRARY_PATH is normally ignored by the dynamic runtime linker, see ld.so(8) and hence gLExec has no means of preserving it. In addition, all variables starting with MALLOC_ are removed for security reasons and cannot be preserved.

pedantic_security_checks = {yes,no}

This option will enable a set of pedantic security checks. It will check if you can execute the command, taking into account the POSIX file system permission bits and your current active Unix credentials in the process. It will also check whether the executable is world writable. Default: No.

prohibit_exec_via_symlink = {yes,no}

This option will disallow the execution of a command or executable that is symlinked. Default: No (which will allow the execution of a symlink)

user_identity_switch_by = {glexec,lcmaps}

Determine where the target user identity is enforced. It takes either the value of glexec, which means gLExec will do the actual switching to the target uid, or lcmaps, in which case the actual switching is left to LCMAPS. In case the lcmaps value is used, please take note of the BUGS section. Default: glexec.

user_white_list

List of comma separated user names that are allowed to call gLExec, e.g. oscar,mischa,root
A single * is interpreted as everyone. Note that it cannot be used as part of a name.
When the name starts with a dot, e.g. .dteam, the name denotes a pool account and matches all user names starting with dteam, followed by one or more digits. Thus .dteam matches the regular expression: dteam[0-9]+. NOTE: all users belonging to the glexec group are automatically whitelisted.

backlog_path

Should point to a directory in which backlog entries will be created. A backlog entry has a filename consisting of the username of the target user followed by colon and the process id of glexec; it has as contents the username of the calling user. NOTE: backlog entries are only created when gLExec is configured to do the switch, see user_identity_switch_by.

certdir

The value of this option will be set as X509_CERT_DIR environment variable for internal use by LCAS and LCMAPS.

vomsdir

The value of this option will be set as X509_VOMS_DIR environment variable for internal use by LCAS and LCMAPS.

use_lcas = {yes,no}

make use of the LCAS framework or bypass it. Default: Yes.

lcas_db_file

Override the build in location of the LCAS configuration file.

lcas_log_file

Override the build in location of the LCAS output log file. It can be the same as lcmaps_log_file, in which case both LCMAPS and LCAS use the same file to log to.

lcas_log_level = {1,..,5}

Override the build in log level for LCAS.

lcas_debug_level = {1,..,5}

Override the build in debug log level for LCAS.

lcmaps_db_file

Override the build in location of the LCMAPS configuration file.

lcmaps_get_account_policy

Specify one or multiple LCMAPS plugin evaluation policies to be executed. This setting discards all other policies configured in the lcmaps.db file. Use the policy names as written in the lcmaps.db file. In case of multiple policies, use the colon-character as a delimiter. The rationale for this delimiter is that the parsing of this string is performed by LCMAPS, not in gLExec. Example: "vomspolicy:oldstylepolicy"
NOTE:
The order of the configured policies is ignored by LCMAPS. The setting "policy1:policy2" is equivalent to "policy2:policy1". The execution order is based on the order in which they appear in the lcmaps.db file, which is read from top to bottom.

lcmaps_log_file

Override the build in location of the LCMAPS output log file. It can be the same as lcas_log_file, in which case both LCMAPS and LCAS use the same file to log their output to.

lcmaps_log_level = {1,..,5}

Override the build in log level for LCMAPS.

lcmaps_debug_level = {1,..,5}

Override the build in debug log level for LCMAPS.

EXAMPLES

Glexec can be deployed in different scenarios and with each of these scenarios the content of the configuration files involved need to be changed.

Full mode:

The first scenario in which gLExec can be deployed is the most common one and that is where gLExec has set its suid bit and is called full mode. In full mode one can choose to log to syslog or to log to file. It is important that gLExec is installed with the following permissions and ownership:
-rws--x--x 1 root root 12345 2010-02-24 11:07 glexec
-r-------- 1 glexec root 123 2010-02-24 11:07 glexec.conf

The following example configuration file for gLExec can be use in case of full mode and logging to syslog:

[glexec]
silent_logging = no
log_destination = syslog
log_level = 5
user_white_list = .dteam
linger = yes
user_identity_switch_by = lcmaps

The following example config file can be used for LCAS:

pluginname=/opt/glite/lib/modules/lcas_userban.mod,pluginargs=ban_users.db
pluginname=/opt/glite/lib/modules/lcas_voms.mod,pluginargs="-vomsdir /etc/grid-security/vomsdir -certdir /etc/grid-security/certificates -authfile /opt/glite/etc/grid-mapfile -authformat simple -use_user_dn

The following example config file can be used for LCMAPS:

path = /opt/glite/lib/modules

poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile <grid-mapfile>"
" -gridmapdir <gridmapdir>"

verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates"

posix_enf = "lcmaps_posix_enf.mod"

glexec_get_account:
verify_proxy -> poolaccount
poolaccount -> posix_enf

In case logging to file is wanted, the following slightly altered gLExec configuration file can be used:

[glexec]
silent_logging = no
log_destination = file
log_file = /var/log/glexec/glexec.log
log_level = 5
user_white_list = .dteam
linger = yes
user_identity_switch_by = lcmaps

The following example config file can be used for LCAS:

pluginname=/opt/glite/lib/modules/lcas_userban.mod,pluginargs=ban_users.db
pluginname=/opt/glite/lib/modules/lcas_voms.mod,pluginargs="-vomsdir /etc/grid-security/vomsdir -certdir /etc/grid-security/certificates -authfile /opt/glite/etc/grid-mapfile -authformat simple -use_user_dn

The following example config file can be used for LCMAPS:

path = /opt/glite/lib/modules

poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile <grid-mapfile>"
" -gridmapdir <gridmapdir>"

verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates"

posix_enf = "lcmaps_posix_enf.mod"

glexec_get_account:
verify_proxy -> poolaccount
poolaccount -> posix_enf

Logging only mode:

gLExec can also run in logging only mode. In this mode gLExec will operate in almost the same manner as in full mode with the difference that the suid bit of gLExec cannot be set. As a result of that the identity switch can not take place due to missing privileges of the process and as far as logging goes only syslog can be used. Use the following permissions:
-rwx--x--x 1 root root 12345 2010-02-24 11:07 glexec
-r--r--r-- 1 glexec root 123 2010-02-24 11:07 glexec.conf

In case of the LCMAPS configuration the posix_enf plugin cannot be called as the process now lacks proper privileges to do the identity switching. This means that for the gLExec configuration nothing has to change as compared to the previous examples, but that in case of LCMAPS, the posix_enf plugin needs to be removed.

The gLExec configuration file might look like this:

[glexec]
silent_logging = no
log_destination = syslog
log_level = 5
user_white_list = .glexec
linger = yes
user_identity_switch_by = lcmaps

The following example config file can be used for LCAS:

pluginname=/opt/glite/lib/modules/lcas_userban.mod,pluginargs=ban_users.db
pluginname=/opt/glite/lib/modules/lcas_voms.mod,pluginargs="-vomsdir /etc/grid-security/vomsdir -certdir /etc/grid-security/certificates -authfile /opt/glite/etc/grid-mapfile -authformat simple -use_user_dn

The following example config file can be used for LCMAPS:

path = /opt/glite/lib/modules

poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile <grid-mapfile>"
" -gridmapdir <gridmapdir>"

verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates"

posix_enf = "lcmaps_posix_enf.mod"

glexec_get_account:
verify_proxy -> poolaccount

Null mode:

This mode has been discussed as one of the modes of gLExec. In this mode gLExec does not even log as opposed to the logging only mode. In this mode gLExec is virtually non existent. Actually, this mode can be implemented by the following script:

#!/bin/sh
exec $@

and as can be seen, gLExec is completely taken out of the equation and hence there is no need to configure either LCAS or LCMAPS as these libraries will not be called for.

INSTALLATION

NOTE: this section is exclusively valid from gLExec version 0.7 and higher.
The preferred ownership for the gLExec executable is root.root or root.glexec. For the config file, the preferred ownership is glexec.root.

For switching mode, the preferred set of permissions for the executable is 4711 and for the config file 0400:
-rws--x--x 1 root root 12345 2010-02-29 12:34 glexec
-r-------- 1 glexec root 123 2010-02-29 12:34 glexec.conf

For logging only mode, the preferred set of permissions for the executable is 0711 and for the config file 0444:
-rwx--x--x 1 root root 12345 2010-02-29 12:34 glexec
-r--r--r-- 1 glexec root 123 2010-02-29 12:34 glexec.conf

These setups also work when either or both are installed on NFS mounts with root-squash enabled.

FILES

/opt/glite/etc/glexec.conf

BUGS

Historically, LCMAPS has had the ability to set a different uid through the posix_enf plugin. When this plugin is called from within a privileged environment, it performs the same user identity switching as gLExec does. However, versions up to and including 1.3.7 of the posix_enf plugin (which is part of the basic plugin set) are too strict in their checking for root capabilities. Since gLExec is not executed as root, but merely has its suid bit and thus only effectively is root, the posix_enf up to and including version 1.3.7 fails because the starting users was not root. This has been fixed for later versions of the posix_enf plugin.

SEE ALSO

glexec(1) flock(2), fcntl(2), ld.so(8)

http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/GLExec

AUTHORS

Written by Oscar Koeroo & Mischa Sallé (from January 2009)
Written by Gerben Venekamp (until January 2009)

COPYRIGHT

Copyright © 2008-2010 EGEE