From 7f1444d5f9e504ff50392a0f73e81787c01b7a0e Mon Sep 17 00:00:00 2001 From: Ralph Castain Date: Fri, 24 Aug 2018 16:41:05 -0700 Subject: [PATCH] Allow run-as-root if 2 envars are set Per suggestion by @bangerth, allow mpirun to execute as root if two envars are set to specific values Per conversation with @jsquyres, name the envars OMPI_ALLOW_RUN_AS_ROOT and OMPI_ALLOW_RUN_AS_ROOT_CONFIRM Fixes #4451 Signed-off-by: Ralph Castain Signed-off-by: Jeff Squyres --- orte/orted/orted_submit.c | 18 +++++++++++++++--- orte/tools/orterun/orterun.1in | 26 ++++++++++++++++++++++++-- 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/orte/orted/orted_submit.c b/orte/orted/orted_submit.c index a1ad7d7b52..f835db4ae2 100644 --- a/orte/orted/orted_submit.c +++ b/orte/orted/orted_submit.c @@ -324,6 +324,14 @@ int orte_submit_init(int argc, char *argv[], * exit with a giant warning flag */ if (0 == geteuid() && !orte_cmd_options.run_as_root) { + /* check for two envars that allow override of this protection */ + char *r1, *r2; + if (NULL != (r1 = getenv("OMPI_ALLOW_RUN_AS_ROOT")) && + NULL != (r2 = getenv("OMPI_ALLOW_RUN_AS_ROOT_CONFIRM"))) { + if (0 == strcmp(r1, "1") && 0 == strcmp(r2, "1")) { + goto moveon; + } + } /* show_help is not yet available, so print an error manually */ fprintf(stderr, "--------------------------------------------------------------------------\n"); if (orte_cmd_options.help) { @@ -338,13 +346,17 @@ int orte_submit_init(int argc, char *argv[], fprintf(stderr, "We strongly suggest that you run %s as a non-root user.\n\n", orte_basename); - fprintf(stderr, "You can override this protection by adding the --allow-run-as-root\n"); - fprintf(stderr, "option to your command line. However, we reiterate our strong advice\n"); - fprintf(stderr, "against doing so - please do so at your own risk.\n"); + fprintf(stderr, "You can override this protection by adding the --allow-run-as-root option\n"); + fprintf(stderr, "to the cmd line or by setting two environment variables in the following way:\n"); + fprintf(stderr, "the variable OMPI_ALLOW_RUN_AS_ROOT=1 to indicate the desire to override this\n"); + fprintf(stderr, "protection, and OMPI_ALLOW_RUN_AS_ROOT_CONFIRM=1 to confirm the choice and\n"); + fprintf(stderr, "add one more layer of certainty that you want to do so.\n"); + fprintf(stderr, "We reiterate our advice against doing so - please proceed at your own risk.\n"); fprintf(stderr, "--------------------------------------------------------------------------\n"); exit(1); } + moveon: /* process any mca params */ rc = mca_base_cmd_line_process_args(orte_cmd_line, &environ, &environ); if (ORTE_SUCCESS != rc) { diff --git a/orte/tools/orterun/orterun.1in b/orte/tools/orterun/orterun.1in index aef58239ef..4d9d5665d4 100644 --- a/orte/tools/orterun/orterun.1in +++ b/orte/tools/orterun/orterun.1in @@ -645,7 +645,10 @@ Allow .I mpirun to run when executed by the root user .RI ( mpirun -defaults to aborting when launched as the root user). +defaults to aborting when launched as the root user). Be sure to see +the +.I Running as root +section, below, for more detail. . . .TP @@ -1628,7 +1631,26 @@ To override this default, you can add the .I --allow-run-as-root option to the .I mpirun -command line. +command line, or you can set the environmental parameters +.I OMPI_ALLOW_RUN_AS_ROOT=1 +and +.IR OMPI_ALLOW_RUN_AS_ROOT_CONFIRM=1 . +Note that it takes setting +.I two +environment variables to effect the same behavior as +.I --allow-run-as-root +in order to stress the Open MPI team's strong advice against running +as the root user. After extended discussions with communities who use +containers (where running as the root user is the default), there was +a persistent desire to be able to enable root execution of +.I mpirun +via an environmental control (vs. the existing +.I --allow-run-as-root +command line parameter). The compromise of using +.I two +environment variables was reached: it allows root execution via an +environmental control, but it conveys the Open MPI team's strong +recomendation against this behavior. . .SS Exit status .