Normal user can view and delete other user's job (query_other_jobs set to false))

Users/Site Administrators
1

The PBS version is 19.1.3.

I googled a bit and set query_other_jobs then restart the pbs server. However normal can still see and delete other user’s job. Any place I should check first?

root@headnode:~# qmgr -c “print server” | grep -i other
set server query_other_jobs = False

Please let me know any additional information I should provide to troubleshoot on this.

2

Hi,
Maybe this topic helps You:

3

Thank you for your quick resonse. Like the thread you replied, I am also using ldap as central user management.
I then removed every (sss) from /etc/nssswitch.conf and reboot head node.
However, ldap user can still view/delete other’s job.

By following the thread’s instruction, I uploaded the server output to below url for page tidiness.
http://52.175.51.26/pbs/pbsserver_output.txt

Then I also try to use the supplied code to test ruserok.

  1. It gave me some warning message when compling
  2. It said allowed access.
  3. I use a remote host then even don’t have ldap configured but it sill said allowed access. That confuses me.

demo01@hpc-hn001:~/wlm$ cc ruserok.c -o ruserok
ruserok.c: In function ‘main’:
ruserok.c:20:14: warning: implicit declaration of function ‘ruserok’ [-Wimplicit-function-declaration]
rc = ruserok(argv[1], 0, argv[2], argv[3]);
^~~~~~~
demo01@hpc-hn001:~/wlm$ ./ruserok hpc-hn001 demo01 demo02
on local host hpc-hn001, from remote host hpc-hn001
remote user demo01 is allowed access as local user demo02
demo01@hpc-hn001:~/wlm$ ./ruserok hpc-bn001 demo01 demo02 #hpc-bn001 does not have ldap configured and demo01/demo02 cannot log in to this server.
on local host hpc-hn001, from remote host hpc-bn001
remote user demo01 is allowed access as local user demo02
demo01@hpc-hn001:~/wlm$
demo01@hpc-hn001:~/wlm$ cat ruserok.c
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
int rc;
char hn[257];

    if (argc != 4) {
            fprintf(stderr, "Usage: %s remote_host remote_user1 local_user2\n", argv[0]);
            return 1;
    }
    if (gethostname(hn, 256) < 0) {
            perror("unable to get hostname");
            return 2;
    }
    hn[256] = '\0';

    printf("on local host %s, from remote host %s\n", hn, argv[1]);
    rc = ruserok(argv[1], 0, argv[2], argv[3]);
    if (rc == 0)
            printf("remote user %s is allowed access as local user %s\n", argv[2], argv[3]);
    else
            printf("remote user %s is denied access as local user %s\n", argv[2], argv[3]);

    return 0;

}
demo01@hpc-hn001:~/wlm$

4

query_other_jobs is for users. It isn’t for managers/operators. Are you a manager? If so, you’ll still see all the jobs. If so, try as a normal user.

Bhroam

5

I was testing with normal user demo01 and demo02. They are both normal user and not manager or operator.

Set server attributes.


set server managers = root@hpc-hn002.cm.cluster
set server managers += root@hpc-hn001.cm.cluster
set server operators = root@hpc-hn002.cm.cluster
set server operators += root@hpc-hn001.cm.cluster

6

Thank you for all your support by leading me looking into the ruserok description in the internet I found out that hosts.equiv might be the problem and it is.

Someone changed the hosts.equiv for testing and put “+” in the file and forget to revert it.
After removing the “+” in the hosts.equiv and now all it is working as expect.

7

It’s good that you figured it out!
As a note, you do not need to add root to managers/operators. Root is automatically a manager (and a manager can do everything an operator can do any more).