All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit 59857b38 authored by Ryan Jackson's avatar Ryan Jackson

XML-RPC: Run frisbeelauncher as root for subboss

Subbosses authenticate to the XML-RPC server as elabman, which means the
resulting server process runs as the elabman user.  Unfortunately, this
doesn't work well when the subboss wants to launch a frisbeed for an
image for which elabman doesn't have read permission (like images under

To fix this, a setuid wrapper script is run instead of trying to run
frisbeelauncher directly.  This script makes sure the calling user is
elabman, and then becomes root and execs frisbee_launcher.
parent 44a0833c
......@@ -43,7 +43,8 @@ SBIN_STUFF = resetvlans console_setup.proxy sched_reload named_setup \
elabinelab snmpit.proxy panic node_attributes \
nfstrace plabinelab smbpasswd_setup smbpasswd_setup.proxy \
rmproj snmpit.proxynew snmpit.proxyv2 pool_daemon \
checknodes_daemon subboss_frisbeelauncher_wrapper
checknodes_daemon subboss_frisbeelauncher_wrapper \
ifeq ($(ISMAINSITE),1)
SBIN_STUFF += repos_daemon
......@@ -95,7 +96,8 @@ SETUID_BIN_SCRIPTS = node_reboot eventsys_control tarfiles_setup savelogs \
SETUID_SBIN_SCRIPTS = mkproj rmgroup mkgroup frisbeelauncher frisbeeimage \
rmuser idleswap named_setup exports_setup \
sfskey_update setgroups newnode_reboot vnode_setup \
elabinelab nfstrace rmproj subboss_frisbeelauncher_wrapper
elabinelab nfstrace rmproj subboss_frisbeelauncher_wrapper \
SETUID_LIBX_SCRIPTS = console_setup spewlogfile
ifeq ($(SYSTEM),FreeBSD)
......@@ -233,6 +235,8 @@ endif
chmod u+s $(INSTALL_SBINDIR)/frisbeelauncher
chown root $(INSTALL_SBINDIR)/subboss_frisbeelauncher_wrapper
chmod u+s $(INSTALL_SBINDIR)/subboss_frisbeelauncher_wrapper
chown root $(INSTALL_SBINDIR)/subboss_wrapper
chmod u+s $(INSTALL_SBINDIR)/subboss_wrapper
chown root $(INSTALL_SBINDIR)/frisbeeimage
chmod u+s $(INSTALL_SBINDIR)/frisbeeimage
chown root $(INSTALL_SBINDIR)/rmuser
#!/usr/bin/perl -wT
# Copyright (c) 2009-2010 University of Utah and the Flux Group.
# All rights reserved.
use strict;
use English;
sub usage()
print "Usage: subboss_wrapper <command> [args]\n";
print "\n";
print "Valid commands:\n";
print " frisbee_launcher [args] Run frisbee_launcher with specified arugments\n";
print "\n";
sub fatal($) {
my($mesg) = $_[0];
die("*** $0:\n".
" $mesg\n");
my $TB = "@prefix@";
my $ELABMAN = "elabman";
my $FRISBEE_LAUNCHER = "$TB/sbin/frisbeelauncher";
use lib "@prefix@/lib";
use User;
# un-taint path
$ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin:/usr/site/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
# We do not want to run this script unless its the real version.
if ($EUID != 0) {
die("*** $0:\n".
" Must be setuid! Maybe its a development version?\n");
# We need this user for running below.
my $elabman = User->Lookup($ELABMAN);
if (!defined($elabman)) {
fatal("Could not lookup $ELABMAN user. Exiting ...");
if ($UID != $elabman->unix_uid()) {
die("Must be elabman to run this script\n");
# Switch to root
$UID = $EUID = 0;
usage() if (@ARGV == 0);
my $command = shift @ARGV;
if ($command eq 'frisbeelauncher') {
# Pass the argument list through as-is
my @args = map { /(.*)/; $1 } @ARGV;
exec $FRISBEE_LAUNCHER, @args;
} else {
fatal("Invalid command \"$command\"");
This diff is collapsed.
......@@ -4619,7 +4619,8 @@ class subboss:
# has permission to load the image in libosload so we don't need to
# check again in frisbeelauncher. Only a subboss can make this request
# anyway.
(exitval, output) = runcommand(TBDIR + "/sbin/wap " + TBDIR + "/sbin/frisbeelauncher " + argstr)
(exitval, output) = runcommand(TBDIR + "/sbin/subboss_wrapper frisbee_launcher " + argstr)
if exitval:
return EmulabResponse(RESPONSE_ERROR, exitval >> 8, output=output)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment