GLExec Service Reference Card

From PDP/Grid Wiki
Jump to navigationJump to search

GLExec on WN, CE and anywhere else  

Functional description

gLExec is a program that acts as a light-weight 'gatekeeper'. gLExec takes Grid credentials as input. gLExec takes the local site policy into account to authenticate and authorize the credentials. gLExec will switch to a new execution sandbox and execute the given command as the switched identity. gLExec is also capable of functioning as a light-weight control point which offers a binary yes/no result called the logging-only mode.

It is used on the Worker Node in the context of Multi User Pilot Jobs and on a CE in the context of CREAM.

The main gLExec home page with useful how-to's, debugging hints and a FAQ is located at:

http://wiki.nikhef.nl/gridwiki/GLExec

Daemons running

None. The SCAS or Argus daemons are usually on a separate node (type).

Init scripts and options (start|stop|restart|...)

No init scripts are needed for the gLExec.

In the Manual pages of gLExec we have explained all the command line options of the executable:

http://wiki.nikhef.nl/gridwiki/Man_pages_of_gLExec

Configuration files location with example or template

The glexec.conf configuration file path is set at compile due to the security implication related to operating gLExec in a safe way.

The default location of the glexec.conf file is: /opt/glite/etc/glexec.conf for gLite versions and /etc/glexec.conf for others, including EMI.

Note: for OSG users who get gLExec via VDT the path is: /etc/glexec/glexec.conf

See the glexec.conf man page for details.

Logfile locations (and management) and other useful audit information

The build-in log file location for gLExec is /var/log/glexec/glexec_log. This can be changed at compile time or altered using the glexec.conf file using the log_file setting.

Syslog can also be used.

In the glexec.conf manual page we have explained all the possibilities of configuring the log file location.

Open ports

There are no open ports created. The only network related interaction results from the syslog client-side interface and the SCAS or Argus client-side interface. In both cases gLExec acts as a networked client.

Possible unit test of the service

There are several tips and hints to test the functionality of gLExec. They can be found at:

http://wiki.nikhef.nl/gridwiki/Debugging_hints

Where is service state held (and can it be rebuilt)

To lower administrative maintenance we advice to use a service like SCAS, Argus or GUMS to be used in conjunction with the gLExec on Worker Nodes scenarios. The mapping state will be held at the respective back-end mapping service.

gLExec could still be installed with node-local mappings. An /etc/grid-security/gridmapdir/ will keep the mapping state as like an LCG-CE.

Cron jobs

N/a.

Security information

Access control Mechanism description (authentication & authorization)

Proxy certificate verification in the verify proxy plugin. LCAS framework, using the user_ban plugin. The LCAS VOMS plugin can be used to whitelist or blacklist; note that this requires the use of GACL to express it. Offloading possibility for the authorization decision to a Argus, SCAS or GUMS service.

How to block/ban a user

We recommend to ban a user at a Argus, SCAS or GUMS service. A node local mapping is still supported. gLExec features LCAS and a user_ban plugin. Enter a DN in the configured file and the DN will be banned for use on that host.

Network Usage

When gLExec is configured to use Syslog, the node local Syslog configuration might lead to network interaction. On a Worker Node installation it is recommended to use a SCAS, Argus or GUMS service. These authorization (and mapping) services feature mutual authentication using SSL and a SOAP over HTTP with SAML2-XACML2 authorization statements. Argus uses its own simplified language and talks via a Hessian protocol instead.

Firewall configuration

Outbound connection for syslog (when applicable) and outbound connection (SSL) to the Argus, SCAS or GUMS service node. Typically TCP port 8154 for Argus, 8443 for SCAS or GUMS. In this case 'Outbound' means, from the node to the central service node, not the outside world.

Security recommendations

File permissions

For all run-modes of gLExec, the gLExec binary must be executable for all users.

Versions up to 0.6.8-3
  • For running gLExec in setuid mode, preferably use the following mode (setuid and setgid):
  -r-sr-sr-x 1 root   root   12345 2010-02-29 12:34 glexec
  -rw-r----- 1 root   glexec   123 2010-02-29 12:34 glexec.conf
  • In case setgid is not possible, preferably use the following mode (only setuid):
  -r-sr-xr-x 1 root   root   12345 2010-02-29 12:34 glexec
  -rw-r--r-- 1 root   glexec   123 2010-02-29 12:34 glexec.conf
  • For running gLExec in logging only mode, preferably use the following mode:
  -r-xr-xr-x 1 root   root   12345 2010-02-29 12:34 glexec
  -rw-r--r-- 1 root   glexec   123 2010-02-29 12:34 glexec.conf

These settings also work when either or both are installed on NFS mounts with root-squash enabled.

Version 0.7.X and up
  • For running gLExec in setuid mode, preferably use the following mode (only setuid):
  -rws--x--x 1 root   root   12345 2010-02-29 12:34 glexec 
  -r-------- 1 glexec root     123 2010-02-29 12:34 glexec.conf 
  • For running gLExec in logging only mode, preferably use the following mode:
  -rwx--x--x 1 root   root   12345 2010-02-29 12:34 glexec 
  -r--r--r-- 1 glexec root     123 2010-02-29 12:34 glexec.conf

These settings also work when either or both are installed on NFS mounts with root-squash enabled.

File permission verification

To prevent a wrong installation of gLExec, which could lead to easy exploitation of the computer system, an outside source must be able to verify the installation. Consider the use of tripwire, rpm --verify <rpm package name> or something similar. For gLExec versions before 0.9 rpm --verify will not work as for those versions the gLExec package has not yet been packaged with the setuid and/or setgid permission bits.

Security incompatibilities

Unknown. If any is found, please inform the developers of gLExec about any problem or incompatibility.

List of externals (packages are NOT maintained by Red Hat or by gLite/EMI)

None.

Other security relevant comments

Environment Variables

Two detailed overviews have been made about the use of environment variables by gLExec.

The following overview handles the safety features with respect to environment variables. It handles the MALLOC_* and LD_* family environment variables and how gLExec deals with some of the common shell environment variables, like HOME:

http://wiki.nikhef.nl/gridwiki/Need_to_Know's#Safety_features


This overview handles proxy file handling via the environment variables. Which variables services which purposes and so on:

http://wiki.nikhef.nl/gridwiki/Proxy_file_handling_in_gLExec

Whitelist

The gLExec executable can only be used by users in the whitelist. There are two ways of getting in the whitelist. The build-in method can be used in absence of a glexec.conf configuration file. The build-in method is to look at the user's primary and secondary Unix group that are currently associated with the user. One of the groupnames must be equal to 'glexec'. This will allow the user to continue running gLExec. The other (more advertised) method is to configure the line *user_white_list* in the glexec.conf configuration file.

The user_white_list line holds a list of comma separated user names that are allowed to call gLExec. When the name starts with a dot, e.g. .pool, the name denotes a pool account and matches all user names starting with pool, followed by one or more digits. Thus .pool matches the regular expression: glexec[0-9]+.

Typically in our infrastructure the poolaccount that a especially setup to allow for pilot job framework execution are listed in the whitelist only.

Note: also root is 'just an account' and needs to be whitelist in the special case that you wish to test or use gLExec with root privileges.

Utility scripts

We're gathering a list of simple and more complex test scripts on the follow page to test gLExec in various ways:

http://wiki.nikhef.nl/gridwiki/Debugging_hints

Location of reference documentation for users

We provide the following wiki for both system administrators and users:

http://wiki.nikhef.nl/gridwiki/GLExec

Location of reference documentation for administrators

We provide the following wiki for both system administrators and users:

http://wiki.nikhef.nl/gridwiki/GLExec