accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-2806) Accumulo init should ensure wals and tables are not world readable
Date Wed, 14 May 2014 17:57:15 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-2806?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13997823#comment-13997823
] 

Josh Elser commented on ACCUMULO-2806:
--------------------------------------

bq. this probably also impacts 1.5.x, but I haven't confirmed yet.

I would assume this to also be the case.

Also, 'recovery' should be protected in addition to 'tables' and 'wal'.

> Accumulo init should ensure wals and tables are not world readable
> ------------------------------------------------------------------
>
>                 Key: ACCUMULO-2806
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-2806
>             Project: Accumulo
>          Issue Type: Bug
>    Affects Versions: 1.6.0
>            Reporter: Sean Busbey
>            Priority: Critical
>             Fix For: 1.6.1, 1.7.0
>
>
> Just did an init on a new 1.6.1-SNAP cluster, and noticed the following permissions:
> {noformat}
> dfs -ls /
> Found 4 items
> drwxr-xr-x   - accumulo supergroup          0 2014-05-14 09:48 /accumulo
> drwxr-xr-x   - hdfs     supergroup          0 2014-05-14 08:10 /jobtracker
> drwxrwxrwx   - hdfs     supergroup          0 2014-05-14 08:10 /tmp
> drwxr-xr-x   - hdfs     supergroup          0 2014-05-14 09:48 /user
> -bash-4.1$ hdfs dfs -ls /accumulo
> Found 3 items
> drwxr-xr-x   - accumulo supergroup          0 2014-05-14 09:55 /accumulo/instance_id
> drwxr-xr-x   - accumulo supergroup          0 2014-05-14 09:55 /accumulo/tables
> drwxr-xr-x   - accumulo supergroup          0 2014-05-14 09:55 /accumulo/version
> {noformat}
> I previously set up /accumulo as 755, under the understanding that clients need access
to /accumulo/instance_id
> things to fix
> # make init chmod tables and wals to 700, as a defensive measure to avoid data leaks
> # maybe also make sure if the trash is enabled that our user directory is also not world
readable
> # If clients don't need access to instance_id, include a check that the data dir is not
world readable
> Workaround: manually change permissions after init



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message