hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Casey Brotherton (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12344) validateSocketPathSecurity0 message could be better
Date Sat, 29 Aug 2015 02:58:45 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14720935#comment-14720935
] 

Casey Brotherton commented on HADOOP-12344:
-------------------------------------------

Hello [~qwertymaniac], and [~cmccabe], 
Added an inline correction message, it becomes somewhat more beefy, because there isn't one
octal perm, but rather, three conditions noted below.

Hello [~steve_l],
Thanks for the hint.  The test had a contains, but included the entire message.  I changed
it to check two shorter strings.

I also added a link to a non-existent wiki page.  The error message is even a bit beefier
with the link.

Let me know if it is too long.

Suggestions for a wiki page:

{quote}
Socket Path Permissions.

In order to run a secure environment, paths used to contain sockets need to be protected from

unauthorized access.  Otherwise, it is possible that an unprivileged user can perform a 
man-in-the-middle attack by removing the socket and replacing it with a new one.

In a POSIX filesystem, that means that all of the paths to the directory used for the 
socket need to have the following characteristics:

1)  Not world-writable.
2)  Only group-writable if the group is root.
3)  Either owned by either root, or the user creating the socket.

For more information, consult your operating system's documentation.
Here is a link to overall documentation regarding filesystem permissions:  
https://en.wikipedia.org/wiki/File_system_permissions

For examining the path in more detail, the following commands may be useful:

namei -om /var/run/hdfs-sockets/dn
ls -l /var/run/hdfs-sockets/dn

For changing the path, the following commands may be useful:

chmod 0755 /var/run/hdfs-sockets/dn
chown hdfs:hadoop /var/run/hdfs-sockets/dn

HDFS daemons will fail to start if the sockets are not protected as required.

{quote}

Running the tests locally before I attach the patch.

> validateSocketPathSecurity0 message could be better
> ---------------------------------------------------
>
>                 Key: HADOOP-12344
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12344
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: net
>            Reporter: Casey Brotherton
>            Assignee: Casey Brotherton
>            Priority: Trivial
>         Attachments: HADOOP-12344.patch
>
>
> When a socket path does not have the correct permissions, an error is thrown.
> That error just has the failing component of the path and not the entire path of the
socket.
> The entire path of the socket could be printed out to allow for a direct check of the
permissions of the entire path.
> {code}
> java.io.IOException: the path component: '/' is world-writable.  Its permissions are
0077.  Please fix this or select a different socket path.
> 	at org.apache.hadoop.net.unix.DomainSocket.validateSocketPathSecurity0(Native Method)
> 	at org.apache.hadoop.net.unix.DomainSocket.bindAndListen(DomainSocket.java:189)
> ...
> {code}
> The error message could also provide the socket path:
> {code}
> java.io.IOException: the path component: '/' is world-writable.  Its permissions are
0077.  Please fix this or select a different socket path than '/var/run/hdfs-sockets/dn'
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message