Difference between revisions of "GLExec Environment Wrap and Unwrap scripts"

From PDP/Grid Wiki
Jump to navigationJump to search
 
(32 intermediate revisions by 2 users not shown)
Line 1: Line 1:
We provide a new package named [http://eticssoft.web.cern.ch/eticssoft/repository/org.glite/org.glite.security.glexec-wrapper-scripts/ glexec-wrapper-scripts].
+
GLExec Wrap and Unwrap environment variables describes how you can wrap environment variables (from a Pilot Job Framework) in such a way that they don't get wipe and unwrap them (safely) in the target account (Pilot Job Payload) process.
  
 +
More (details) information can be found on the [[Need to Know's]] page.
  
 +
== Where to find packages and sources ==
  
To help you master the obstacles of gLExec's security we offer some interesting How To material:  
+
The sources can be found as [http://software.nikhef.nl/security/glexec-wrapper-scripts/ distribution tarball] or in our [https://ndpfsvn.nikhef.nl/viewvc/mwsec/trunk/mwsec-utils/glexec-wrapper-scripts/ SVN repository].
  
* [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/grid-mw-security/glexec/util/wrap-env-var/ GLExec Wrap and Unwrap environment variables] describes how you can wrap environment variables in such a way that they don't get wipe and unwrap them (safely) in the target account (pilot job payload) process.
+
We provide a package named glexec-wrapper-scripts, which is distributed as part of the glexec-wn metapackage, in EMI and UMD.
  
=== gLExec wrapper scripts: glexec_wrapenv.pl and glexec_unwrapenv.pl) ===
+
CURRENT_WRAPPER_VERSION=0.0.7-1
 +
glexec-wrapper-scripts-${CURRENT_WRAPPER_VERSION}.el5.noarch.rpm
 +
glexec-wrapper-scripts-${CURRENT_WRAPPER_VERSION}.el6.noarch.rpm
 +
glexec-wrapper-scripts_${CURRENT_WRAPPER_VERSION}_all.deb
 +
glexec-wrapper-scripts-${CURRENT_WRAPPER_VERSION}.tar.gz
  
Helper script to restore the environment variables previously wrapped into the environment variable GLEXEC_ENV using the glexec_wrapenv.pl script.
+
== gLExec wrapper scripts: glexec_wrapenv.pl and glexec_unwrapenv.pl ==
  
Intended usage:
+
Helper scripts to restore the environment variables previously wrapped into the environment variable GLEXEC_ENV using the glexec_wrapenv.pl script.
 +
 
 +
=== Intended usage ===
 
  export GLEXEC_ENV=`glexec_wrapenv.pl`
 
  export GLEXEC_ENV=`glexec_wrapenv.pl`
  /opt/glite/sbin/glexec glexec_unwrapenv.pl -- <YOUR-COMMAND>
+
  /usr/sbin/glexec glexec_unwrapenv.pl -- <YOUR-COMMAND>
  
 +
=== (Making) Exceptions ===
 
By default the following environment variables are NOT unwrapped:
 
By default the following environment variables are NOT unwrapped:
 
* HOME  
 
* HOME  
Line 21: Line 30:
 
* X509_USER_PROXY  
 
* X509_USER_PROXY  
 
* _  (yes that's '_' !)
 
* _  (yes that's '_' !)
 +
 +
This set of environment variables must kept relative to the active user account. The X509_USER_PROXY and the HOME variables are set explicitly to values that are appropriate to the mapped user account.
  
 
A user can add more env vars to be excluded using either
 
A user can add more env vars to be excluded using either
Line 27: Line 38:
 
  --exclude=A,B,...
 
  --exclude=A,B,...
  
 +
=== Examples ===
 
Example 1:
 
Example 1:
 
  export GLEXEC_ENV=`glexec_wrapenv.pl --exclude=MYVAR`
 
  export GLEXEC_ENV=`glexec_wrapenv.pl --exclude=MYVAR`
  /opt/glite/sbin/glexec glexec_unwrapenv.pl -- <YOUR-COMMAND>
+
  /use/sbin/glexec glexec_unwrapenv.pl -- <YOUR-COMMAND>
  
 
Example 2:
 
Example 2:
 
  export GLEXEC_ENV=`glexec_wrapenv.pl`
 
  export GLEXEC_ENV=`glexec_wrapenv.pl`
  /opt/glite/sbin/glexec glexec_unwrapenv.pl --exclude=MYVAR -- <YOUR-COMMAND>
+
  /usr/sbin/glexec glexec_unwrapenv.pl --exclude=MYVAR -- <YOUR-COMMAND>
  
 
Example 3:
 
Example 3:
  export GLEXEC_ENV=`glexec_wrapenv.pl --exclude=MYVAR`
+
  export GLEXEC_ENV=`glexec_wrapenv.pl --exclude=MYVAR,FOO`
  /opt/glite/sbin/glexec glexec_unwrapenv.pl -- <YOUR-COMMAND>
+
  /usr/sbin/glexec glexec_unwrapenv.pl -- <YOUR-COMMAND>
 +
 
 +
== Combined, easy to adopt, script: glexec_wrap.sh ==
 +
 
 +
We've combined the two Perl scripts and the gLExec call into a plain and simple shell script. This script is also packaged in the glexec-wrapper-scripts as the shell script:  /usr/sbin/'''glexec_wrap.sh'''
 +
 
 +
Content:
 +
#!/bin/sh
 +
if test -n "${GLEXEC_LOCATION}"
 +
then
 +
    BASEDIR="${GLEXEC_LOCATION}"
 +
elif test -n "${GLITE_LOCATION}"
 +
then
 +
    BASEDIR="${GLITE_LOCATION}"
 +
else
 +
    BASEDIR="/usr"
 +
fi
 +
 +
cd ${BASEDIR}
 +
export GLEXEC_ENV=`${0%/*}/glexec_wrapenv.pl`
 +
exec ${BASEDIR}/sbin/glexec ${0%/*}/glexec_unwrapenv.pl -- $@
 +
 
 +
Usage:
 +
/usr/sbin/glexec_wrap.sh /usr/bin/id -a

Latest revision as of 10:21, 8 January 2014

GLExec Wrap and Unwrap environment variables describes how you can wrap environment variables (from a Pilot Job Framework) in such a way that they don't get wipe and unwrap them (safely) in the target account (Pilot Job Payload) process.

More (details) information can be found on the Need to Know's page.

Where to find packages and sources

The sources can be found as distribution tarball or in our SVN repository.

We provide a package named glexec-wrapper-scripts, which is distributed as part of the glexec-wn metapackage, in EMI and UMD.

CURRENT_WRAPPER_VERSION=0.0.7-1
glexec-wrapper-scripts-${CURRENT_WRAPPER_VERSION}.el5.noarch.rpm
glexec-wrapper-scripts-${CURRENT_WRAPPER_VERSION}.el6.noarch.rpm
glexec-wrapper-scripts_${CURRENT_WRAPPER_VERSION}_all.deb
glexec-wrapper-scripts-${CURRENT_WRAPPER_VERSION}.tar.gz

gLExec wrapper scripts: glexec_wrapenv.pl and glexec_unwrapenv.pl

Helper scripts to restore the environment variables previously wrapped into the environment variable GLEXEC_ENV using the glexec_wrapenv.pl script.

Intended usage

export GLEXEC_ENV=`glexec_wrapenv.pl`
/usr/sbin/glexec glexec_unwrapenv.pl -- <YOUR-COMMAND>

(Making) Exceptions

By default the following environment variables are NOT unwrapped:

  • HOME
  • LOGNAME
  • USER
  • X509_USER_PROXY
  • _ (yes that's '_' !)

This set of environment variables must kept relative to the active user account. The X509_USER_PROXY and the HOME variables are set explicitly to values that are appropriate to the mapped user account.

A user can add more env vars to be excluded using either

--exclude=A --exclude=B

or

--exclude=A,B,...

Examples

Example 1:

export GLEXEC_ENV=`glexec_wrapenv.pl --exclude=MYVAR`
/use/sbin/glexec glexec_unwrapenv.pl -- <YOUR-COMMAND>

Example 2:

export GLEXEC_ENV=`glexec_wrapenv.pl`
/usr/sbin/glexec glexec_unwrapenv.pl --exclude=MYVAR -- <YOUR-COMMAND>

Example 3:

export GLEXEC_ENV=`glexec_wrapenv.pl --exclude=MYVAR,FOO`
/usr/sbin/glexec glexec_unwrapenv.pl -- <YOUR-COMMAND>

Combined, easy to adopt, script: glexec_wrap.sh

We've combined the two Perl scripts and the gLExec call into a plain and simple shell script. This script is also packaged in the glexec-wrapper-scripts as the shell script: /usr/sbin/glexec_wrap.sh

Content:

#!/bin/sh
if test -n "${GLEXEC_LOCATION}"
then
   BASEDIR="${GLEXEC_LOCATION}"
elif test -n "${GLITE_LOCATION}"
then
   BASEDIR="${GLITE_LOCATION}"
else
   BASEDIR="/usr"
fi

cd ${BASEDIR}
export GLEXEC_ENV=`${0%/*}/glexec_wrapenv.pl`
exec ${BASEDIR}/sbin/glexec ${0%/*}/glexec_unwrapenv.pl -- $@

Usage:

/usr/sbin/glexec_wrap.sh /usr/bin/id -a