Content-type: text/html Manpage of GLEXEC.CONF

GLEXEC.CONF

Section: gLite (5)
Updated: February 2009
Index Return to Main Contents

 

NAME

glexec.conf - configuration file for gLExec

 

DESCRIPTION

The gLExec configuration file is a standard .ini file and by default located at '/opt/glite/etc/glexec.conf'. All gLExec specific settings have to be listed under the [glexec] tag and although other tags are allowed, non other than [glexec] are taken into account.

The following key value pairs are currently understood by gLExec.

[glexec]

linger = {yes,no}
it controls the behaviour of gLExec when it executes the real user job. gLExec can fork the real user job and wait for it to return, i.e. gLExec is said to linger, or gLExec will load the image of the real user job over that of itself and does no linger in that case.
lock_mechanism = {flock,fcntl,disabled} (deprecated)
use target_lock_mechanism instead.
target_lock_mechanism = {flock,fcntl,disabled}
this option will specify which locking mechanism will be used to lock the destination of the target proxy for writing. By default flock(2) will be used (as in previous version). But fcntl(2) can now also be selected. As a bonus you can also disable the locking mechanism, but this option is not safe and should be avoided.
input_lock_mechanism = {flock,fcntl,disabled}
this option will specify which locking mechanism will be used to lock the input proxies for reading, i.e. both the GLEXEC_SOURCE_PROXY and the GLEXEC_CLIENT_CERT. By default flock(2) will be used. fcntl(2) can also be selected. As a bonus you can also disable the locking mechanism, but this option is not safe and should be avoided.
log_destination = {syslog,file}
tells where glexec should send its logging information to. For value file see also next key log_file.
log_file
Specify which file gLExec should use in case file has been chosen as log destination. This key has only meaning when the key log_destination is set to file.
log_level = {1,...,5}
set the log level of gLExec. Higher means more logging, highest level includes debug information.
omission_private_key_white_list
List of comma separated user names that do not have to present a private key in their certificate when calling glexec (note: this applies to the certificate or proxy that will be used for authentication and authorization of the users calling glexec, not the one that can be copied by gLExec).
pedantic_security_checks = {yes,no}
This option will enable the premature checks again. It will check if you can execute the command, regarding the POSIX file system permission bits and your current active Unix credentials in the process. It will also check if the executable is world writable. Default: No (which will not check on these prematurely and trigger the failure at the execv() if any).
preserve_env_variables
List of comma separated environment variables that gLExec need to preserve in addition to the set of default preserved environment variables.
Note: Please note that not all environment variables can be preserved due to the way the linker might work. In case of setuid executables, the linker might try to severely limited the extend of LD_LIBRARY_PATH. This can mean that this environment variable is completely removed from the environment at link time and thus before the call to the main() function of glexec.
prohibit_exec_via_symlink = {yes,no}
This option will disallow the execution of a command or executable that is symlinked. Default: No (which will allow the execution of a symlink)
silent_logging = {yes,no}
turn off/on logging of gLExec
user_identity_switch_by = {glexec,lcmaps}
Determine where the target user identity is enforced. It takes either the value of glexec, which means gLExec will do the actual switching to the target uid, or lcmaps, in which case the actual switching is left to LCMAPS. In case the lcmaps value is used, please take note of the BUGS section.
use_lcas = {yes,no}
make use of the LCAS framework or bypass it.
user_white_list
List of comma separated user names that are allowed to call gLExec. When the name starts with a dot, e.g. .glexec, the name denotes a pool account and matches all user names starting with glexec, followed by one or more digits. Thus .glexec matches the regular expression: glexec[0-9]+.
lcas_db_file
Override the build in location of the LCAS configuration file.
lcas_log_file
Override the build in location of the LCAS output log file. It can be the same as lcmaps_log_file, in which case both LCMAPS and LCAS use the same file to log to.
lcas_log_level = {1,..,5}
Override the build in log level for LCAS.
lcas_debug_level = {1,..,5}
Override the build in debug log level for LCAS.
lcmaps_db_file
Override the build in location of the LCMAPS configuration file.
lcmaps_get_account_policy
Specify one or multiple LCMAPS plugin evaluation policies to be executed. This discards all other policies. Use the policy names as written in the lcmaps.db file. In case of multiple policies, use the colon as a delimiter (this is because the string is not parsed by gLExec, but by LCMAPS). Example: lq]vomspolicy:oldstylepolicyrq].
Note: the order in lq]policy1:policy2rq] is ignored (so lq]policy1:policy2rq] is equivalent to lq]policy2:policy1rq]), since the order in which the policies are run is based on the order in which they appear in the lcmaps.db file.
lcmaps_log_file
Override the build in location of the LCMAPS output log file. It can be the same as lcas_log_file, in which case both LCMAPS and LCAS use the same file to log their output to.
lcmaps_log_level = {1,..,5}
Override the build in log level for LCMAPS.
lcmaps_debug_level = {1,..,5}
Override the build in debug log level for LCMAPS.

 

EXAMPLES

Glexec can be deployed in different scenarios and with each of these scenarios the content of the configuration files involved need to be changed.

Full mode:
The first scenario in which glexec can be deployed is the most common one and that is where glexec has set its suid bit and is called full mode. In full mode one can choose to log to syslog or to log to file. It is important that glexec is installed with the following permissions and ownership:
-rws--s--- 1 root glexec 127453 Nov 26 12:59 ./glexec
i.e. chown root:glexec and chmod 6755

The following example configuration file for glexec can be use in case of full mode and logging to syslog:


[glexec]
silent_logging = no
log_destination = syslog
log_level = 5
user_white_list = .glexec
linger = yes
user_identity_switch_by = lcmaps

The following example config file can be used for LCAS:


pluginname=/opt/glite/lib/modules/lcas_userban.mod,pluginargs=ban_users.db


pluginname=/opt/glite/lib/modules/lcas_voms.mod,pluginargs="-vomsdir /etc/grid-security/vomsdir -certdir /etc/grid-security/certificates -authfile /opt/glite/etc/grid-mapfile -authformat simple -use_user_dn

The following example config file can be used for LCMAPS:


path = /opt/glite/lib/modules

poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile <grid-mapfile>"
" -gridmapdir <gridmapdir>"

verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates"
" --allow-limited-proxy"

posix_enf = "lcmaps_posix_enf.mod"

glexec_get_account:
verify_proxy -> poolaccount
poolaccount -> posix_enf

In case logging to file is wanted, the following slightly altered glexec config file can be used:


[glexec]
silent_logging = no
log_destination = file
log_file = /var/log/glexec/glexec.log
log_level = 5
user_white_list = .glexec
linger = yes
user_identity_switch_by = lcmaps

The following example config file can be used for LCAS:


pluginname=/opt/glite/lib/modules/lcas_userban.mod,pluginargs=ban_users.db


pluginname=/opt/glite/lib/modules/lcas_voms.mod,pluginargs="-vomsdir /etc/grid-security/vomsdir -certdir /etc/grid-security/certificates -authfile /opt/glite/etc/grid-mapfile -authformat simple -use_user_dn

The following example config file can be used for LCMAPS:



path = /opt/glite/lib/modules


poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile <grid-mapfile>"
" -gridmapdir <gridmapdir>"

verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates"
" --only-post-verify-checks"

posix_enf = "lcmaps_posix_enf.mod"


glexec_get_account:
verify_proxy -> poolaccount
poolaccount -> posix_enf

Logging only mode:
gLExec can also run in logging only mode. In this mode gLExec will operate in almost the same manner as in full mode with the difference that the suid bit of gLExec cannot be set and as a result of that that the identity switch can not take place due to missing privileges of the process and that as far as logging goes only syslog can be used.
-rwx--x--- 1 root glexec 127453 Nov 26 12:59 ./glexec
i.e. chown root:glexec and chmod 0755

In case of the LCMAPS configuration the posix_enf plugin cannot be called as the process now lacks proper privileges to do the identity switching. This means that for the gLExec configuration nothing has to change as compared to the previous examples, but that in case of LCMAPS, the posix_enf plugin needs to be removed.

The gLExec configuration file might look like this:


[glexec]
silent_logging = no
log_destination = syslog
log_level = 5
user_white_list = .glexec
linger = yes
user_identity_switch_by = lcmaps

The following example config file can be used for LCAS:


pluginname=/opt/glite/lib/modules/lcas_userban.mod,pluginargs=ban_users.db


pluginname=/opt/glite/lib/modules/lcas_voms.mod,pluginargs="-vomsdir /etc/grid-security/vomsdir -certdir /etc/grid-security/certificates -authfile /opt/glite/etc/grid-mapfile -authformat simple -use_user_dn

The following example config file can be used for LCMAPS:



path = /opt/glite/lib/modules


poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile <grid-mapfile>"
" -gridmapdir <gridmapdir>"

verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates"
" --allow-limited-proxy"

posix_enf = "lcmaps_posix_enf.mod"


glexec_get_account:
verify_proxy -> poolaccount

Null mode:
This mode has been discussed as one of the modes of glexec. In this mode glexec does not even log as opposed to the logging only mode. In this mode glexec is virtually non existent. Actually, this mode can be implemented by the following script:
#!/bin/sh
exec $@

and as can be seen, glexec is completely taken out of the equation and hence there is no need to configure either LCAS or LCMAPS as these libraries will not be called for.

 

BUGS

Historically, LCMAPS has had the ability to set a different uid through the posix_enf plugin. When this plugin is called from within a privileged environment, it performs the same user identity switching as gLExec does. However, versions up to and including 1.3.7 of the posix_enf plugin (which is part of the basic plugin set) are too strict in their checking for root capabilities. Since gLExec is not executed as root, but merely has its suid bit and thus only effectively is root, the posix_enf up to and including version 1.3.7 fails because the starting users was not root. This has been fixed for later versions of the posix_enf plugin.

 

FILES

/opt/glite/etc/glexec.conf

 

SEE ALSO

glexec(1)

 

AUTHORS

Written by Oscar Koeroo & Mischa Sall'e (from January 2009)
Written by Gerben Venekamp (until January 2009)

 

COPYRIGHT

Copyright © 2008, 2009 EGEE


 

Index

NAME
DESCRIPTION
EXAMPLES
BUGS
FILES
SEE ALSO
AUTHORS
COPYRIGHT

This document was created by man2html, using the manual pages.
Time: 10:14:14 GMT, May 15, 2009