I have a question about developing apps in OOD. My old institution had app development enabled by default for all users. It was great! You could just clone a git repo into the right subfolder and have it pop up in the OOD web interface. We used it quite a lot in my old group to customize and develop apps.
My frustration is that my new institution doesn’t enable the developer sandbox for any users. I’ve been told the reason is security concerns. Fair enough, right? I’m not a sysadmin, I don’t know if there are credible security risks associated with enabling this feature. That said, I am a little surprised that the developer sandbox would be deemed too risky at one institution and not at another one with a similar security cross-section.
So, I want to know, is it truly more risky to let users install and develop OOD apps than to let them install and develop apps at the terminal? If not is there anything I can share with my sysadmins that’d allay their fears?
The developer page in the docs to enable this pretty much states everything they need to know, especially in the Warning banner as that is what is relevant to understand.
Essentially, you are making the web-node OOD is on into a login-node where users (possibly all unless you follow below) can run arbitrary code.
There are ways you can limit who is a developer using groups and initializers as well which you’ll see in that doc link, but some institutions might know how to do this better than others.
It isn’t surprising this is different between institutions to me as security policy and admin know-how can vary widely from institution to institution.
If you do this, it is recommended that you treat the node that OnDemand is running on as a login node, as you are effectively giving those users shell access by letting them run arbitrary code on the OnDemand node (of course the UID of the processes are still their regular unprivileged user UID).
What are the possible risks? Using up all the memory or disk space I suppose? With a sufficiently tight cgroup is this safe?
Also, is there a difference in security risks between interactive (job scheduler) and passenger (web server) apps? It seems to me like the former has almost no risk because it’s only the static web form that’s living on the OnDemand node, and all compute work is running on the cluster which must already be set up appropriately. Is it possible to allow one but not the other?