LinuxHostAdapter uses Etc.getlogin which returns 'root' in PUN context

[calvofl0]

Environment

• OOD Core Version: 0.29.0
• Open OnDemand Version: 4.0.8-1
• OS: Rocky Linux 8
• Ruby: 3.3

Problem

In lib/ood_core/job/adapters/linux_host/launcher.rb, the username is determined using:

@username = Etc.getlogin

When running in the PUN (Per-User NGINX) context, Etc.getlogin returns root instead of the actual user. This causes the LinuxHostAdapter to SSH as root to the target host and run jobs as root.

Impact

• Severity: Critical - SSH connections made as root user, they either fail or
• Jobs execute with root privileges instead of user privileges

Root Cause

Etc.getlogin returns the username from the controlling terminal. In daemon/web contexts (like PUN), there is no controlling terminal, so it returns the process owner (often root).

From Ruby documentation:

Unfortunately, it is often rather easy to fool getlogin(). Avoid getlogin() for security-related purposes.

Solution

Replace with Etc.getpwuid.name, which correctly returns the effective user ID:

@username = Etc.getpwuid.name

Testing

Before (incorrect):

# In PUN context
Etc.getlogin
# => "root"

After (correct):

# In PUN context  
Etc.getpwuid.name
# => "username"  # actual user

Note

OOD already uses Etc.getpwuid.name correctly elsewhere (e.g., in session_store.rb):

dir = "/var/tmp/#{Etc.getpwuid.name}"