SECURE_INFODIR_USER_ACCESS

Syntax

SECURE_INFODIR_USER_ACCESS=Y | N

Description

By default, (SECURE_INFODIR_USER_ACCESS=N or is not defined), any user can view other users job information in lsb.event and lsb.acct files using the bhist or bacct commands. Specify Y to prevent users (includes all users except the primary admin) from accessing other users' job information using bhist or bacct .

With SECURE_INFODIR_USER_ACCESS enabled, a regular user does not have rights to call the API to get data under LSB_SHAREDIR/cluster/logdir, which will be readable only by the primary administrator. Regular and administrator users will not have rights to run bhist -t. Only the primary administrator will have rights to run bhist -t. Regular and administrator users will only see their own job information. The LSF primary administrator can always view all users’ job information in lsb.event and lsb.acct, no matter what the setting.

After enabling this feature, you must setuid of the LSF primary administrator for bhist and bacct binary under LSF_BINDIR. bhist and bacct will call mbatchd to check whether the parameter is set or not when you have setuid for bhist and bacct.

To disable this feature, specify N for SECURE_INFODIR_USER_ACCESS and to avoid bhist and bacct calling mbatchd, remove the setuid for bhist and bacct binary under LSF_BINDIR. When disabled, the permission to LSB_SHAREDIR/cluster/logdir will return to normal after mbatchd is reconfigured (run badmin reconfig).

Note: This feature is only supported when LSF is installed on a file system that supports setuid bit for file. Therefore, this feature does not work on Windows platforms.

Note: If LSB_LOCALDIR has been enabled to duplicate LSB_SHAREDIR, LSB_LOCALDIR will also be readable only by the primary administrator after setting SECURE_INFODIR_USER_ACCESS = Y.

Default