In our cluster with PBS batch system (torque) installed, we wish all the users execute their jobs by qsub so that the CPU resources can be well managed. However, it is found that users in our cluster can still directly run their programs directly in their bash shell.

I have noticed that some other cluster systems have restricted users from running their own binary. their command prompt is different from full priviliged command prompt.(starting from ~>)

qczhan2@barrine1:~>echo $0

In their configureation, users can run basic commands, like ls, pwd, cp and cd, but when usrs run their own binary, the system reminds "permission not allowd."

I am just wondering how to configure the system to be like that?

Thank you very much.

update: ? I have tried:

(a) mounting the filesystem with noexec option, but this method doesn’t allow user to run their binary from pbs as well.

(b) using restricted bash, but this method doesn’t even allow user to use “cd” command.

  • 232
  • 1
  • 5

1 Answers1


The problem with cluster management is you are always going to find someone willing to cheat the system. Accountability can go a long way towards changing behavior. You may need to consider a change of priority in the queue or rescinding access to problem users.

Mounting home as noexec seems like a decent idea but that fails if you don't have a centrally managed set of installed programs. I'm assuming users are logging into nodes and running commands interactively. I quick google search reveals a Torque PAM module that could be of use to limit node access to users with jobs currently on that node. In this case they would be stealing CPU from themselves. You may also be able to deny ssh access to compute nodes from the head node but you will still need to allow ssh between the nodes.

If you are dealing with a large single machine or a single system image cluster you might be able to do something with CPU limits. You would need to assign a small soft limit and reasonable hard limit on CPU time. The bash profile in /etc would have to then be modified to look for PBS environment variable set by Torque and increase the user's soft limit to match the hard limit. Of course, the users could increase their soft limits and still cheat the system.

A little creativity in scripting can go a long ways but it is always useful to have a set of policies to point at when users complain. If you can identify the offending processes with a script you can always kill them or nice them with a cron job. Good Luck

  • 232
  • 1
  • 5