Environment
- OOD Core Version: 0.29.0
- Open OnDemand Version: 4.0.8-1
- OS: Rocky Linux 8
- Ruby: 3.3
Problem
In lib/ood_core/job/adapters/linux_host/launcher.rb, the username is determined using:
When running in the PUN (Per-User NGINX) context, Etc.getlogin returns root instead of the actual user. This causes the LinuxHostAdapter to SSH as root to the target host and run jobs as root.
Impact
- Severity: Critical - SSH connections made as root user, they either fail or
- Jobs execute with root privileges instead of user privileges
Root Cause
Etc.getlogin returns the username from the controlling terminal. In daemon/web contexts (like PUN), there is no controlling terminal, so it returns the process owner (often root).
From Ruby documentation:
Unfortunately, it is often rather easy to fool getlogin(). Avoid getlogin() for security-related purposes.
Solution
Replace with Etc.getpwuid.name, which correctly returns the effective user ID:
@username = Etc.getpwuid.name
Testing
Before (incorrect):
# In PUN context
Etc.getlogin
# => "root"
After (correct):
# In PUN context
Etc.getpwuid.name
# => "username" # actual user
Note
OOD already uses Etc.getpwuid.name correctly elsewhere (e.g., in session_store.rb):
dir = "/var/tmp/#{Etc.getpwuid.name}"
Environment
Problem
In
lib/ood_core/job/adapters/linux_host/launcher.rb, the username is determined using:When running in the PUN (Per-User NGINX) context,
Etc.getloginreturnsrootinstead of the actual user. This causes the LinuxHostAdapter to SSH as root to the target host and run jobs as root.Impact
Root Cause
Etc.getloginreturns the username from the controlling terminal. In daemon/web contexts (like PUN), there is no controlling terminal, so it returns the process owner (oftenroot).From Ruby documentation:
Solution
Replace with
Etc.getpwuid.name, which correctly returns the effective user ID:Testing
Before (incorrect):
After (correct):
Note
OOD already uses
Etc.getpwuid.namecorrectly elsewhere (e.g., insession_store.rb):