Is it possible to run users' jobs in chroot environment using Slurm

Question

I'm using Slurm. I want users only to access their own /home/ directory (or directory that they executed their job), ubuntu packages that is installed by the sudo user, and binary files user /bin, such as: ls, cat, rm etc.

I do not want each user to have any read/write access to the other users' files and important files such as /etc/passwd.

I observe that when any slurm-job runs under a new user, it can read all files under the root (/) directory such as /etc/passwd.

---

From the starting point of the Is it possible to force SLURM to have access to only job's running folder and not alter any other file? the answer, it has been recommended to use chroot:

If you want to make sure your job has no way to write outside of a specific directory, you can use the chroot command in your job submission script, but that seems a bit odd and less easy to manage than UNIX permissions.

---

The chroot() system call changes the process’s root directory to the directory specified by pathname

Is it possible to run users' jobs in the chroot environment (chroot()-jailed) using Slurm?

---

As an alternative solution, I have controlled the files access is through UNIX permissions, where a job can only write where the submitting user has permission to write, please see: slurm: How to submit a job under another user and prevent to read other users' files?

Answer 1

I do not want each user to have any read/write access to the other users' files and important files such as /etc/passwd.

It is normal for users to be allowed to read /etc/passwd, it is necessary for many operations. Sensitive information such as password hashes, which originally were stored in /etc/passwd, are nowadays stored in /etc/shadown in all Linux distributions.

I observe that when any slurm-job runs under a new user, it can read all files under the root (/) directory such as /etc/passwd.

Again, it is normal for regular users to be able to read files in / ; it enables them to access installed software, see information about their processes, etc.

Only /root should be readable by root only.

As for the files of other users, they will typically be in /home so make sure that the sub-directories in /home are 700 are are owned by their respective users.

Files in /etc might also hold sensitive information, but package managers often make sure the proper permissions are set on this files.

If you are concerned about privacy, you should also configure Slurm to disable node sharing and to keep accounting information private. See more information here.