You could set the setuid bit on the application and chown it to root??  It is about as secure as anything else that has been described thus far.  As a system admin, I cringe at the thought of anything that would allow something to run as someone else,  so there would have to be a pretty good justification for such unique use case as yours. 

Randall

On Wed, Sep 14, 2011 at 12:56 PM, Reuti <reuti@staff.uni-marburg.de> wrote:
Am 14.09.2011 um 19:02 schrieb Blosch, Edwin L:

> Thanks for trying.
>
> Do you feel that this is an impossible request without the assistance of some process running as root, for example, as Reuti mentioned, the daemons of a job scheduler?  Or are you saying it will just not be as straightforward as calling setgid as you had hoped?
>
> Also, do you think there is a way I could make use of the sg command below?  Perhaps there is a way to have the rsh/ssh launcher start the application processes with a command like 'sg <group> <executable name>'?

What about a half-tight integration (or call it: classic tight integration), i.e. no recompilation necessary?

- setup your mpiexec call in the jobscript to use a plain rsh for the remote startup (no path given): –mca plm_rsh_agent rsh

- the PE of SGE needs the argument -catch_rsh in start_proc_args and the supplied script in $SGE_ROOT/mpi/startmpi.sh

 (SGE will create a symbolic link in $TMPDIR therein [which will be called first this way] to the rsh-wrapper in $SGE_ROOT/mpi [pitfall: some applications need a -V to be added in the lines woth "qrsh", i.e. "qrsh -inherit -V ..." to send all environment variables to the slaves])

- what is your setting of qrsh_daemon/qrsh_command in `qconf -sconf`? This will then be used finally to reach the node and should be builtin or point to the SGE supplied rsh/rshd (no rshd necessary to install, no rshd is running all the time, no rshd will be started by xinet.d or alike)

- like you do already: switch off the built-in SGE starter in your mpiexec call: -mca plm_rsh_disable_qrsh 1

-- Reuti

PS: To avoid misunderstandings: you could also set "–mca plm_rsh_agent foobar" and in $SGE_ROOT/mpi/startmpi.sh you change it to create a symbolic link called "foobar " in $TMPDIR. It's just a name at this stage of startup.


> Ed
>
>
> NAME
>      sg - execute command as different group ID
>
> SYNOPSIS
>      sg [-] [group [-c ] command]
>
> DESCRIPTION
>      The sg command works similar to newgrp but accepts a command. The
>      command will be executed with the /bin/sh shell. With most shells you
>      may run sg from, you need to enclose multi-word commands in quotes.
>      Another difference between newgrp and sg is that some shells treat
>      newgrp specially, replacing themselves with a new instance of a shell
>      that newgrp creates. This doesn't happen with sg, so upon exit from a
>      sg command you are returned to your previous group ID.
>
>
>
>
> -----Original Message-----
> From: users-bounces@open-mpi.org [mailto:users-bounces@open-mpi.org] On Behalf Of Ralph Castain
> Sent: Wednesday, September 14, 2011 11:33 AM
> To: Open MPI Users
> Subject: Re: [OMPI users] EXTERNAL: Re: Can you set the gid of the processes created by mpirun?
>
>
> On Sep 14, 2011, at 9:39 AM, Blosch, Edwin L wrote:
>
>> Thanks, Ralph,
>>
>> I get the failure messages, unfortunately:
>>
>> setgid FAILED
>> setgid FAILED
>> setgid FAILED
>>
>> I actually had attempted to call setgid from within the application previously, which looks similar to what you've done, but it failed. That was when I initiated the post to the mailing list. My conclusion, a guess really, was that Linux would not let me setgid from within my program because I was not root.
>
> I was afraid of that - the documentation seemed to indicate that would be the case, but I figured it was worth a quick try. Sorry I can't be of help.
>
>
>>
>>
>> -----Original Message-----
>> From: users-bounces@open-mpi.org [mailto:users-bounces@open-mpi.org] On Behalf Of Ralph Castain
>> Sent: Wednesday, September 14, 2011 8:15 AM
>> To: Open MPI Users
>> Subject: Re: [OMPI users] EXTERNAL: Re: Can you set the gid of the processes created by mpirun?
>>
>> The attached should set the gid of the remote daemons (and their children) to the gid of mpirun. No cmd line option or anything is required - it will just always do it.
>>
>> Would you mind giving it a try?
>>
>> Please let me know if/how it works.
>>
>> _______________________________________________
>> users mailing list
>> users@open-mpi.org
>> http://www.open-mpi.org/mailman/listinfo.cgi/users
>
>
> _______________________________________________
> users mailing list
> users@open-mpi.org
> http://www.open-mpi.org/mailman/listinfo.cgi/users
> _______________________________________________
> users mailing list
> users@open-mpi.org
> http://www.open-mpi.org/mailman/listinfo.cgi/users


_______________________________________________
users mailing list
users@open-mpi.org
http://www.open-mpi.org/mailman/listinfo.cgi/users



--
Randall Svancara
http://knowyourlinux.com/