hadoop-mapreduce-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Todd Lipcon (JIRA)" <j...@apache.org>
Subject [jira] Created: (MAPREDUCE-2096) Secure local filesystem IO from symlink vulnerabilities
Date Tue, 28 Sep 2010 19:48:33 GMT
Secure local filesystem IO from symlink vulnerabilities

                 Key: MAPREDUCE-2096
                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-2096
             Project: Hadoop Map/Reduce
          Issue Type: Bug
          Components: jobtracker, security, tasktracker
    Affects Versions: 0.22.0
            Reporter: Todd Lipcon
            Assignee: Todd Lipcon
            Priority: Blocker

This JIRA is to contribute a patch developed on the private security@ mailing list.

The vulnerability is that MR daemons occasionally open files that are located in a path where
the user has write access. A malicious user may place a symlink in place of the expected file
in order to cause the daemon to instead read another file on the system -- one which the attacker
may not naturally be able to access. This includes delegation tokens belong to other users,
log files, keytabs, etc.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message