After #128 is merged, flux-imp exec will have the ability to pass arbitrary options to the job shell. Since the job shell will be running as the guest user, this opens the ability for the instance owner to modify shell behavior without explicit permission from the submitting user. This could, for example, allow the instance owner to add an --initrc= option to the shell and execute arbitrary code as guest user.
This functionality is necessary for the system instance, in order to at least supply a --reconnect option to allow for recoverable jobs after a broker restart. However, before non-system multi-user instances are supported, we should add some way to restrict the options passed down to the job shell, so that arbitrary, non-system users are limited in what options they can pass to a job shell.
For now, however, this issue would only be a problem if a non-system user was listed in allowed-users and they were able to execute the IMP. We suggest only the system instance owner, e.g. user flux be listed in allowed-users and that user be the only one allowed to execute flux-imp.
After #128 is merged,
flux-imp execwill have the ability to pass arbitrary options to the job shell. Since the job shell will be running as the guest user, this opens the ability for the instance owner to modify shell behavior without explicit permission from the submitting user. This could, for example, allow the instance owner to add an--initrc=option to the shell and execute arbitrary code as guest user.This functionality is necessary for the system instance, in order to at least supply a
--reconnectoption to allow for recoverable jobs after a broker restart. However, before non-system multi-user instances are supported, we should add some way to restrict the options passed down to the job shell, so that arbitrary, non-system users are limited in what options they can pass to a job shell.For now, however, this issue would only be a problem if a non-system user was listed in
allowed-usersand they were able to execute the IMP. We suggest only the system instance owner, e.g. userfluxbe listed inallowed-usersand that user be the only one allowed to executeflux-imp.