hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11415) Local file system on Linux may create files and directories initially with wider permissions than intended.
Date Wed, 17 Dec 2014 19:06:13 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14250324#comment-14250324

Chris Nauroth commented on HADOOP-11415:

bq. can we switch to the java7 java.nio.file code now, that does let us set permissions on
file creation?

I investigated this while working on HADOOP-11321.  This would not be a backwards-compatible
change, because those permissions would be filtered by the process umask.  The existing semantics
of {{FileSystem}} are that the permissions passed by the caller are not influenced by the
process umask.  For example, if you call {{FileSystem#create}} with 644 permissions, we make
sure the final result is a file with 644 permissions, even if your process umask is 027, which
would have silently changed the resulting permissions to 640 by POSIX semantics.  I discussed
this in more detail in this comment:


We could consider switching to {{java.nio.file}} in trunk targeted to 3.x if we decide these
semantics are incorrect or not worth preserving.

> Local file system on Linux may create files and directories initially with wider permissions
than intended.
> -----------------------------------------------------------------------------------------------------------
>                 Key: HADOOP-11415
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11415
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs
>            Reporter: Chris Nauroth
>              Labels: security
> As discussed in HADOOP-11321, the local file system implements file and directory creation
as a two-step process: create followed by chmod to set the caller's requested permissions.
 This causes a brief window in which the new file or directory may have wider permissions
than what the caller requested.  HADOOP-11321 fixed this specifically for Windows as a side
effect of fixing a bug in writing to an SMB share.  This issue tracks fixing it specifically
for Linux.

This message was sent by Atlassian JIRA

View raw message