Issue #323 highlighted the potential security risks associated with Khiops propagating its privileges to OpenMPI when run as root. To address this, while maintaining user flexibility, we propose implementing the following changes:
Decision made:
Prohibit Elevated Privileges by Default: Khiops will detect the current user and refuse to run with root or admin privileges on all platforms and installation types.
Clear Warning Message: A prominent message will be displayed upon attempted execution with elevated privileges, for instance: _You are trying to run Khiops with elevated privileges. For security reasons, this is not the default behavior and Khiops will now exit. If you understand the potential risks and need to proceed, you can work around this behavior by setting KHIOPS_ALLOW_RUN_AS_ROOT=1. Please note that this will also grant elevated privileges to the third-party MPI library, which is discouraged by its maintainers._
Explicit Override: Users who understand the risks and have a justifiable need to run Khiops with elevated privileges can explicitly set the KHIOPS_ALLOW_RUN_AS_ROOT=1 environment variable to bypass this restriction (no need to read any doc).
Centralized Privilege Management: If KHIOPS_ALLOW_RUN_AS_ROOT is set, khiops-env will set the necessary flags to allow elevated execution for underlying OpenMPI library (OMPI_ALLOW_RUN_AS_ROOT and OMPI_ALLOW_RUN_AS_ROOT_CONFIRM)
This approach aims to strike a balance between:
Usability: Users who require root privileges have a clear and straightforward way to enable them.
User Education: The warning message helps inform users about the risks involved, empowering them to make informed decisions.
OpenMPI Alignment: The warning message and explicit flag requirement align with OpenMPI's recommendations against running their software as root, reinforcing the importance of user awareness and explicit consent.
Issue #323 highlighted the potential security risks associated with Khiops propagating its privileges to OpenMPI when run as root. To address this, while maintaining user flexibility, we propose implementing the following changes:
Decision made:
KHIOPS_ALLOW_RUN_AS_ROOT=1. Please note that this will also grant elevated privileges to the third-party MPI library, which is discouraged by its maintainers._KHIOPS_ALLOW_RUN_AS_ROOT=1environment variable to bypass this restriction (no need to read any doc).KHIOPS_ALLOW_RUN_AS_ROOTis set, khiops-env will set the necessary flags to allow elevated execution for underlying OpenMPI library (OMPI_ALLOW_RUN_AS_ROOTandOMPI_ALLOW_RUN_AS_ROOT_CONFIRM)This approach aims to strike a balance between:
Usability: Users who require root privileges have a clear and straightforward way to enable them. User Education: The warning message helps inform users about the risks involved, empowering them to make informed decisions. OpenMPI Alignment: The warning message and explicit flag requirement align with OpenMPI's recommendations against running their software as root, reinforcing the importance of user awareness and explicit consent.