The source project of this merge request has been removed.
sudo based PMGLauncher
Since I don't know why a sudo based PMGLaunch script should not work, I decided to write one so people can tell what is wrong with it.
This has been tested on a local (virtualized) machine with the TDAQ CentOS 7 environmnent and the nightly release.
- In a local IPC domain a new pmgserver for the user is started, then everything works as expected for the same user (starting initial, partitions)
- Another user that can access this IPC domain is however refused (since the PMGLauncher script will call sudo and there is no rule for it) - this is a feature, not a bug...
- For a 'system' wide pmgserver, a sudoers file like in etc/sudoers.d/pmg has to be installed by an admin. It defines the valid user under which pmgserver may change user IDs, the allowed target user IDs (all in the example, can be netgroup, e.g active daq:something roles or whatever, in Point 1).
- For this example, the initial partition can be started under 'tdaqsw' user, then user 'rhauser' can succesfully start his partition and all processes belong to him.
The sudoers file does are few modifications to defaults that probably should be fine-tuned:
- it allows overriding the environment
- it disables pam_setcred and pam_session, which allows it to avoid a fork+exec and do the execv() directly. The result is that in the process tree the pmglauncher will be a direct child of pmgserver, just like in the case where no sudo is involved.
There is no more suid executable in the TDAQ release needed.
Edited by Reiner Hauser