From f49c22af6d9c4215f8d97f388ca47961c46015b2 Mon Sep 17 00:00:00 2001 From: Simon Byrne Date: Mon, 12 Aug 2019 16:15:42 -0700 Subject: [PATCH 1/2] Run-as-root env vars in orterun.c I found that I needed to apply the same change as #5597 to orterun.c for the environment variables to work correctly. Signed-off-by: Simon Byrne (cherry picked from commit 9c8671c48b946f4387cddb6a66aaab572fa983dd) --- orte/tools/orterun/orterun.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/orte/tools/orterun/orterun.c b/orte/tools/orterun/orterun.c index 7f80b147aed..2c436c69db3 100644 --- a/orte/tools/orterun/orterun.c +++ b/orte/tools/orterun/orterun.c @@ -142,6 +142,14 @@ int orterun(int argc, char *argv[]) * exit with a giant warning flag */ if (0 == geteuid() && !orte_cmd_options.run_as_root) { + char *r1, *r2; + if (NULL != (r1 = getenv("OMPI_ALLOW_RUN_AS_ROOT")) && + NULL != (r2 = getenv("OMPI_ALLOW_RUN_AS_ROOT_CONFIRM"))) { + if (0 == strcmp(r1, "1") && 0 == strcmp(r2, "1")) { + goto moveon; + } + } + fprintf(stderr, "--------------------------------------------------------------------------\n"); if (NULL != orte_cmd_options.help) { fprintf(stderr, "%s cannot provide the help message when run as root.\n", orte_basename); @@ -159,6 +167,7 @@ int orterun(int argc, char *argv[]) exit(1); } + moveon: /* setup to listen for commands sent specifically to me, even though I would probably * be the one sending them! Unfortunately, since I am a participating daemon, * there are times I need to send a command to "all daemons", and that means *I* have From 549abeaa8743db7a8cac77c6291549d92696f8aa Mon Sep 17 00:00:00 2001 From: Jeff Squyres Date: Mon, 19 Aug 2019 15:36:59 -0400 Subject: [PATCH 2/2] orterun: remove duplicate code https://github.com/open-mpi/ompi/pull/6895 fixed the code in orterun.c to allow running as root if both OMPI_ALLOW_RUN_AS_ROOT and OMPI_ALLOW_RUN_AS_ROOT_CONFIRM env vars are set. However, this env-var-checking code already exists in orte_submit.c:orte_submit_init() -- it looks like the geteuid()/getenv()-checking code here in orterun is now duplicate code. So let's just get rid of the duplicate code. Signed-off-by: Jeff Squyres (cherry picked from commit 197beb30d555922b084ac3b89bb97321bf157e88) --- orte/tools/orterun/orterun.c | 31 ------------------------------- 1 file changed, 31 deletions(-) diff --git a/orte/tools/orterun/orterun.c b/orte/tools/orterun/orterun.c index 2c436c69db3..3a7abc6a361 100644 --- a/orte/tools/orterun/orterun.c +++ b/orte/tools/orterun/orterun.c @@ -137,37 +137,6 @@ int orterun(int argc, char *argv[]) exit(1); } - /* check if we are running as root - if we are, then only allow - * us to proceed if the allow-run-as-root flag was given. Otherwise, - * exit with a giant warning flag - */ - if (0 == geteuid() && !orte_cmd_options.run_as_root) { - char *r1, *r2; - if (NULL != (r1 = getenv("OMPI_ALLOW_RUN_AS_ROOT")) && - NULL != (r2 = getenv("OMPI_ALLOW_RUN_AS_ROOT_CONFIRM"))) { - if (0 == strcmp(r1, "1") && 0 == strcmp(r2, "1")) { - goto moveon; - } - } - - fprintf(stderr, "--------------------------------------------------------------------------\n"); - if (NULL != orte_cmd_options.help) { - fprintf(stderr, "%s cannot provide the help message when run as root.\n", orte_basename); - } else { - /* show_help is not yet available, so print an error manually */ - fprintf(stderr, "%s has detected an attempt to run as root.\n", orte_basename); - } - fprintf(stderr, "Running at root is *strongly* discouraged as any mistake (e.g., in\n"); - fprintf(stderr, "defining TMPDIR) or bug can result in catastrophic damage to the OS\n"); - fprintf(stderr, "file system, leaving your system in an unusable state.\n\n"); - fprintf(stderr, "You can override this protection by adding the --allow-run-as-root\n"); - fprintf(stderr, "option to your cmd line. However, we reiterate our strong advice\n"); - fprintf(stderr, "against doing so - please do so at your own risk.\n"); - fprintf(stderr, "--------------------------------------------------------------------------\n"); - exit(1); - } - - moveon: /* setup to listen for commands sent specifically to me, even though I would probably * be the one sending them! Unfortunately, since I am a participating daemon, * there are times I need to send a command to "all daemons", and that means *I* have