ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dmitry Lysnichenko (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-21970) Enable sticky bit for curl_krb_cache
Date Wed, 20 Sep 2017 13:15:01 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-21970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16173160#comment-16173160
] 

Dmitry Lysnichenko commented on AMBARI-21970:
---------------------------------------------

+1

> Enable sticky bit for curl_krb_cache
> ------------------------------------
>
>                 Key: AMBARI-21970
>                 URL: https://issues.apache.org/jira/browse/AMBARI-21970
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.5.0
>            Reporter: Krishnama Raju K
>            Assignee: Eugene Chekanskiy
>            Priority: Minor
>         Attachments: AMBARI-21970.patch
>
>
> In secure environment, we see that "/var/lib/ambari-agent/tmp" has sticky bit enabled.
Trying to enable such permissions ( sticky bit or any other permissions ) for "curl_krb_request.py"
is being over written after few seconds.
> It is observed that the chmod permissions set in "curl_krb_request.py" enforces periodic
0777 as shown in below snippet.
> {code:java}
> curl_krb_cache_path = os.path.join(tmp_dir, "curl_krb_cache")
>   if not os.path.exists(curl_krb_cache_path):
>     os.makedirs(curl_krb_cache_path)
>   os.chmod(curl_krb_cache_path, 0777)
> {code}
> Ref: https://github.com/apache/ambari/blob/trunk/ambari-common/src/main/python/resource_management/libraries/functions/curl_krb_request.py
> Hence, code changes need to be done for setting the sticky bit to prevent access from
users who did not create the specific file. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message