Skip to content

SH_SDOW on Sherlock

sh_adow is a system, implmented on Sherlock, whereby SRC Researcher Facing personell can impersonate, or “shadow,” a regular user, in order to test commands, modify files, copy data for local testing, etc. sh_adow requires explicit user consent, that consent can be explicitly revoked, and that consent expires after 48 hours – which is all to say that this is a pretty safe operation.

Every member of the researcher-facing team can now use sh_adow on a Sherlock login node to directly become a user:  you get a login shell as the user, with their full environment loaded.

The workflow is simple:

The support consultant will ask the user to create an empty .sh_allow_support file in the $HOME directory, eg. with touch

touch $HOME/.sh_allow_support

This is the user consent to be shadowed. If that file doesn’t exist, the user cannot be impersonated.

The suppot consultant will then run sh_adow <username> on any login node at which time, they can poke around, debug, fix things in the enviroment, then exit when finished.

The consent file auto-expires after 48h (and gets cleaned up automatically if stale). If it’s expired, just ask them to touch it again.

Everything is audited, so we can keep a record of those shadow sessions:

Slack notifications are sent to #sherlock-events  when a session starts and ends (threaded together for easy tracking), your commands are saved to a separate history file in the user’s homedir (.sh_support..), full I/O is recorded via sudo session logging

sh_adow should already be in your PATH (you can check with sh_adow -h ).