flux exec --jobid doesn't work for job owner in system instance

[garlick]

Problem: intuitively you'd expect flux exec --jobid ID to work in the system instance when the invoking user is the same as the job owner of ID, but it does not.

The reason is noted in the code:

/* The embedded subprocess server restricts access based on FLUX_ROLE_OWNER,
 * but this shell cannot trust message credentials if they are passing through
 * a Flux instance running as a different user (e.g. the "flux" user in a
 * system instance).  If that user were compromised, they could run arbitrary
 * commands as any user that currently has a job running.  Therefore, this
 * additional check ensures that we only trust an instance running as the same
 * user.
 *
 * For good measure, check that the shell userid matches the credential
 * userid. After the above check, this could only fail in test where the
 * owner can be mocked.
 */

The method used to check if the instance is to be trusted is

    /* Determine if this shell is running as the instance owner, without
     * trusting the instance owner to tell us.  Since the parent of a guest
     * shell is flux-imp(1), kill(2) of the parent pid should fail for guests.
     */
    pid_t ppid = getppid (); // 0 =  parent is in a different pid namespace
    if (ppid > 0 && kill (getppid (), 0) == 0)
        rexec->parent_is_trusted = true;

Discussion began in

• Allow tool access to Flux while running outside an allocation #6546

[garlick]

@grondo mentioned munge as an idea for enhancing message credentials in this case.

I wonder if we could amend the subprocess protocol to allow a signing method from flux-security to be used on the exec requests?