diff --git a/NEWS b/NEWS
index 3349d4ebd977d1bd7a367f2477d08cd58fdb2ae4..2885e2e56828e81fc1fe0a9a237952cdb64b10aa 100644
--- a/NEWS
+++ b/NEWS
@@ -233,6 +233,8 @@ documents those changes that are of interest to users and admins.
* Changes in SLURM 1.2.27
=========================
-- Record job eligible time in accounting database (for jobacct/gold only).
+ -- Prevent user root from executing a job step within a job allocation
+ belonging to another user.
* Changes in SLURM 1.2.26
=========================
diff --git a/src/slurmctld/proc_req.c b/src/slurmctld/proc_req.c
index e413d8a57af649fa7b0977828c22d7bd39af6146..cd09bacdaab2f659e5e083e5310791469bf9452b 100644
--- a/src/slurmctld/proc_req.c
+++ b/src/slurmctld/proc_req.c
@@ -1107,9 +1107,10 @@ static void _slurm_rpc_job_step_create(slurm_msg_t * msg)
dump_step_desc(req_step_msg);
uid = g_slurm_auth_get_uid(msg->auth_cred, NULL);
- if ( (uid != req_step_msg->user_id) && (!validate_super_user(uid)) ) {
- error("Security violation, JOB_STEP_CREATE RPC from uid=%u",
- (unsigned int) uid);
+ if (uid != req_step_msg->user_id) {
+ error("Security violation, JOB_STEP_CREATE RPC from uid=%u "
+ "to run as uid %u",
+ (unsigned int) uid, req_step_msg->user_id);
slurm_send_rc_msg(msg, ESLURM_USER_ID_MISSING);
return;
}
@@ -1816,6 +1817,7 @@ static void _slurm_rpc_submit_batch_job(slurm_msg_t * msg)
/* do RPC call */
uid = g_slurm_auth_get_uid(msg->auth_cred, NULL);
if ( (uid != job_desc_msg->user_id) && (!validate_super_user(uid)) ) {
+ /* NOTE: User root can submit a batch job for any other user */
error_code = ESLURM_USER_ID_MISSING;
error("Security violation, SUBMIT_JOB from uid=%u",
(unsigned int) uid);
@@ -1848,6 +1850,17 @@ static void _slurm_rpc_submit_batch_job(slurm_msg_t * msg)
return;
}
#endif
+
+ if (job_ptr->user_id != uid) {
+ error("Security violation, uid=%u attempting "
+ "to execute a step within job %u owned "
+ "by user %u",
+ (unsigned int) uid, job_ptr->job_id,
+ job_ptr->user_id);
+ slurm_send_rc_msg(msg, ESLURM_USER_ID_MISSING);
+ unlock_slurmctld(job_write_lock);
+ return;
+ }
error_code = _launch_batch_step(job_desc_msg, uid,
&step_id);
unlock_slurmctld(job_write_lock);
diff --git a/src/slurmctld/step_mgr.c b/src/slurmctld/step_mgr.c
index 1ec6869e96c9df218fa7c3ffd678e4b95a1838ff..e3ce5cfa1bf7f2963c832dddfa535d81962c2bb5 100644
--- a/src/slurmctld/step_mgr.c
+++ b/src/slurmctld/step_mgr.c
@@ -819,29 +819,18 @@ step_create(job_step_create_request_msg_t *step_specs,
return ESLURM_DUPLICATE_JOB_ID;
}
+ /* NOTE: We have already confirmed the UID originating
+ * the request is identical with step_specs->user_id */
+ if (step_specs->user_id != job_ptr->user_id)
+ return ESLURM_ACCESS_DENIED ;
+
if (batch_step) {
- static bool wiki_sched = false;
- static bool wiki_sched_test = false;
- if (!wiki_sched_test) {
- char *sched_type = slurm_get_sched_type();
- if ((strcmp(sched_type, "sched/wiki") == 0) ||
- (strcmp(sched_type, "sched/wiki2") == 0))
- wiki_sched = true;
- xfree(sched_type);
- wiki_sched_test = true;
- }
info("user %u attempting to run batch script within "
"an existing job", step_specs->user_id);
/* This seems hazardous to allow, but LSF seems to
- * work this way, so don't treat it as an error. */
- if (wiki_sched)
- return ESLURM_ACCESS_DENIED;
+ * work this way, so don't treat it as an error. */
}
- if ((step_specs->user_id != job_ptr->user_id) &&
- (step_specs->user_id != 0))
- return ESLURM_ACCESS_DENIED ;
-
if (IS_JOB_FINISHED(job_ptr) ||
(job_ptr->end_time <= time(NULL)))
return ESLURM_ALREADY_DONE;