hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Todd Lipcon (JIRA)" <j...@apache.org>
Subject [jira] Commented: (MAPREDUCE-1994) Linux task-controller determines its own path insecurely
Date Thu, 05 Aug 2010 17:21:18 GMT

    [ https://issues.apache.org/jira/browse/MAPREDUCE-1994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12895743#action_12895743

Todd Lipcon commented on MAPREDUCE-1994:

Yea, sorry, HADOOP_CONF_DIR - the code is a bit messy as it actually detects HADOOP_HOME and
then appends conf/ later... working on a patch that cleans this code up as well.

bq. It is documented to set permissions on task-controller to be as strict as "6050 root mapred".
That should avoid creating hard links to the binary, no?

I believe you're allowed to make hard links to other files regardless of their permissions.
If it were kept in a directory with strict permissions, that would help the issue a little

bq. Just curious, an example of argv[0] spoof?

perl -e 'exec { "/real/path/to/task-controller" } "fake-argv[0]", "normal", "args", "...";'

There isn't really an obvious exploit here since task-controller is supposed to be set with
permissions so that the normal user can't run it. But if it's misconfigured, the attacker
can likely evade the check for that misconfiguration by something like this, so it's worth

> Linux task-controller determines its own path insecurely
> --------------------------------------------------------
>                 Key: MAPREDUCE-1994
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-1994
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>          Components: security, task-controller
>    Affects Versions: 0.22.0
>            Reporter: Todd Lipcon
>            Assignee: Todd Lipcon
>            Priority: Critical
> The task-controller uses argv[0] to determine its own path, and then calls stat() on
that. Instead it should stat("/proc/self/exe") directly. This is important since argv[0] can
be spoofed to point to another program and thus either fool the autodetection of HADOOP_HOME
or evade various permissions checks.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message