Lmod itself is lightweight, but modulefiles can alter environment state and command paths. Hardening is mainly about modulefile trust and path policy.
- Store modulefiles in root/admin-controlled directories.
- Require review before publishing modulefile changes.
- Block user write access to global module trees.
- Separate experimental modules from production modules.
- Prevent modulefiles from prepending untrusted user paths.
- Use
family()/conflict rules to avoid mixed compiler/MPI stacks.
- Keep default modules explicit and minimal.
- Log module use where auditing is required.
- Validate modulefile generation pipelines (EasyBuild/Spack).
- Keep Lua runtime and Lmod package updated.
- Restrict shell init modifications to controlled templates.
- Test module behavior in non-privileged test accounts.
¶ Verification commands
module --version
module avail 2>&1 | head
find /usr/share/lmod /etc/modulefiles /apps/modulefiles -type f -ls 2>/dev/null | head
- Lmod docs: https://lmod.readthedocs.io/
- Lmod source: https://github.com/TACC/Lmod
- Lmod security advisories: https://github.com/TACC/Lmod/security