Skip to content

Commit

Permalink
Allow condor_ssh_to_job for non-setuid singularity #6931
Browse files Browse the repository at this point in the history
  • Loading branch information
@GregThain
GregThain committed Feb 26, 2019
1 parent 3ad5e1f commit 105c359
Showing 1 changed file with 18 additions and 13 deletions.
31 changes: 18 additions & 13 deletions src/condor_starter.V6.1/os_proc.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1027,15 +1027,11 @@ OsProc::makeCpuAffinityMask(int slotId) {
void
OsProc::SetupSingularitySsh() {
#ifdef LINUX
// Right now, this only works if we are root.
if (!can_switch_ids()) {
return;
}

// First, create a unix domain socket that we can listen on
int uds = socket(AF_UNIX, SOCK_STREAM, 0);
if (uds < 0) {
dprintf(D_ALWAYS, "Cannot create unix domain socket for docker ssh_to_job\n");
dprintf(D_ALWAYS, "Cannot create unix domain socket for singularity ssh_to_job\n");
return;
}

Expand Down Expand Up @@ -1106,20 +1102,29 @@ OsProc::AcceptSingSshClient(Stream *stream) {
}
ArgList args;
args.AppendArg("/usr/bin/nsenter");
args.AppendArg("-a"); // all namespaces
args.AppendArg("-t"); // target pid
char buf[32];
sprintf(buf,"%d", pid);
args.AppendArg(buf); // pid of running job

args.AppendArg("/usr/sbin/chroot");
bool setuid = param_boolean("SINGULARITY_IS_SETUID", true);
if (setuid) {
// The default case where singularity is using a setuid wrapper
args.AppendArg("-a"); // all namespaces
args.AppendArg("/usr/sbin/chroot");

args.AppendArg("--userspec");
sprintf(buf, "%d", get_user_uid());
args.AppendArg(buf);
args.AppendArg("--userspec");
sprintf(buf, "%d", get_user_uid());
args.AppendArg(buf);

sprintf(buf,"/proc/%d/root", pid);
args.AppendArg(buf);
sprintf(buf,"/proc/%d/root", pid);
args.AppendArg(buf);
} else {
args.AppendArg("-U"); // enter only the User namespace
args.AppendArg("-r"); // chroot
args.AppendArg("-preserve-credentials");

}

Env env;
MyString env_errors;
Expand All @@ -1128,7 +1133,7 @@ OsProc::AcceptSingSshClient(Stream *stream) {
singExecPid = daemonCore->Create_Process(
"/usr/bin/nsenter",
args,
PRIV_ROOT,
setuid ? PRIV_ROOT : PRIV_USER,
singReaperId,
FALSE,
FALSE,
Expand Down

0 comments on commit 105c359

Please sign in to comment.