Problem by Installing a PVMCluster (rsh Problem ?)

Robert G. Brown rgb@phy.duke.edu
Wed, 16 Sep 1998 15:12:41 -0400 

On Wed, 16 Sep 1998, Bernd_Wollny wrote:

> hello, 
> I try to install a PVM/Cluster but I have a problem that I can't add 
> an other host.
> %pvm
> pvm> add naomi
> 0 successful
>                     HOST     DTID
>                    naomi Can't start pvmd
> pvm>
> 
>  
> If I start pvm with strace I get this message 
> [pid  xx] execve("/bin/rsh", ["/bin/rsh", "naomi", "$PVM_ROOT/lib/pvmd" 
>   ...
>   [/* 51 vars */]) = -1 EPERM (Operation not permitted)
> 
> The problem are that /bin/rsh are setuid root.

/bin/rsh being suid root is not your problem.  Here is a problem
analysis tree:

a) Can you enter something like "rsh naomi pvmd" from userspace and have
it work?  If not, this has to work before pvm will work.  Learn about
.rhosts, /etc/hosts.equiv, /etc/hosts.allow, /etc/hosts.deny, and all
that from the rsh man pages and ff.

b) If a) fails, are you trying to run pvm as root?  Note that whether or
not one can execute a remote rsh command as root has to do with what is
in /root/.rhosts on naomi, not whether or not rsh is suid root.  One can
easily execute remote rsh commands as a user using the suid root
/bin/rsh, but only if the host you are trying it on permits it.

c) If a) and b) both succeed, then check to make sure that /tmp/pvm*
lockfiles from a previous invocation of pvm are all gone.  One of my
basic bitches about pvm is that it doesn't do very well at cleaning up
its own mess; lockfiles and logfiles tend to get left behind if a run
isn't terminated just right.  I've even written grooming scripts to
remove all the lockfiles on my virtual machine just to avoid having to
login all over the place to delete them by hand.


My own money is on a/b being your problem.  The two best solutions are
to:

 a) not run pvm as root -- properly configured, pvmd and pvm in general
run fine from userspace; and

 b) build pvm on top of ssh instead of rsh.  

I personally doing recommend the latter in any event -- in addition to
providing much better security and control for users (ssh passwds are
encrypted as they cross insecure nets passing from host to host, for
example, foiling some snoopers) .shost enable ssh root commands are
often acceptably safe where rsh root commands are generally not.  Since
snooping is the number-one method of cracking a remote network (I think
80% of our cracking incidents over the last 10 years have been snooped
passwds when, e.g. a student logs into the department from an insecure
local site while home over the summer or visiting another department) it
really helps to use a secure remote shell with public key/private key
encryption.

Hope this helps.

   rgb

Robert G. Brown	                       http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     email:rgb@phy.duke.edu