Security aspects
================

In OAR, security and user switching is managed by the "oardodo" command.  It is
a suid binary which can be executed only by root and the oar group members that
is used to launch a command, a terminal or a script with the privileges of a
particular user.  When "oardodo" is called, it checks the value of an
environment variable: ``OARDO_BECOME_USER``.

  - If this variable is empty, "oardodo" will execute the command with the
    privileges of the superuser (root).

  - Else, this variable contains the name of the user that will be used to
    execute the command.


Here are the scripts/modules where "oardodo" is called and which user is used
during this call:

  - OAR::Modules::Judas:
    this module is used for logging and notification.

    * user notification: email or command execution.
      OARDO_BECOME_USER = user

  - oarsub:
    this script is used for submitting jobs or reservations.

    * read user script
    * connection to the job and the remote shell
    * keys management
    * job key export

    for all these functions, the user used in the OARDO_BECOME_USER variable is
    the user that submits the job.

  - pingchecker:
    this module is used to check resources health. Here, the user is root.

  - oarexec:
    executed on the first reserved node, oarexec executes the job prologue and
    initiate the job.

    * the "clean" method kills every oarsub connection process in superuser mode
    * "kill_children" method kills every child of the process in superuser mode
    * execution of a passive job in user mode
    * getting of the user shell in user mode
    * checkpointing in superuser mode


  - job_resource_manager:
    The job_resource_manager script is a perl script that oar server deploys on
    nodes to manage cpusets, users, job keys...

    * cpuset creation and clean is executed in superuser mode

  - oarsh_shell:
    shell program used with the oarsh script. It adds its own process in the
    cpuset and launches the shell or the script of the user.

    * cpuset filling, "nice" and display management are executed as root.
    * TTY login is executed as user.

  - oarsh:
    oar's ssh wrapper to connect from node to node. It contains all the context
    variables usefull for this connection.

    * display management and connection with a user job key file are executed
       as user.

