flux-imp(8)¶

SYNOPSIS¶

flux-imp COMMAND [OPTIONS...]

DESCRIPTION¶

flux-imp is an optional component of Flux which, when installed setuid and configured appropriately, enables a Flux instance to execute and control jobs run as users other than the instance owner.

For details on the background and design of flux-imp see:

RFC 15: Independent Minister of Privilege for Flux: The Security IMP: https://flux-framework.readthedocs.io/projects/flux-rfc/en/latest/spec_15.html

COMMANDS¶

version: Display flux-imp version.
whoami: Display the real and effective user and group ids of the flux-imp process. flux-imp whoami can be used to verify that flux-imp is installed with appropriate setuid permissions for a given calling user.
exec: The flux-imp exec command is invoked by a multi-user instance to execute a the job shell as the appropriate user. Description of the exec command configuration can be found in flux-config-security-imp(5).
kill: The flux-imp kill command is invoked by a multi-user instance to send signals to jobs running as users other than the instance owner.
run: The flux-imp run command is used by a Flux instance to execute arbitrary commands with privilege, typically a job prolog or epilog. Description of run command configuration can be found in flux-config-security-imp(5).

SECURITY NOTES¶

flux-imp should only be installed setuid if multi-user Flux is required. Single user Flux instances do not use flux-imp.

File permissions, access controls, or SELinux policy of flux-imp should be configured such that access is restricted to only those users that require multi-user Flux capability. For example, for a system instance running as user flux, it is suggested that permissions for flux-imp be set such that only the flux user or group has execute permission.

RESOURCES¶