Return-Path: Delivered-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org Received: (qmail 72846 invoked from network); 5 Aug 2010 17:21:43 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 5 Aug 2010 17:21:43 -0000 Received: (qmail 86830 invoked by uid 500); 5 Aug 2010 17:21:43 -0000 Delivered-To: apmail-hadoop-mapreduce-issues-archive@hadoop.apache.org Received: (qmail 86792 invoked by uid 500); 5 Aug 2010 17:21:42 -0000 Mailing-List: contact mapreduce-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: mapreduce-issues@hadoop.apache.org Delivered-To: mailing list mapreduce-issues@hadoop.apache.org Received: (qmail 86784 invoked by uid 99); 5 Aug 2010 17:21:42 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Aug 2010 17:21:42 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Aug 2010 17:21:40 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id o75HLI7D007567 for ; Thu, 5 Aug 2010 17:21:18 GMT Message-ID: <24671296.183111281028878920.JavaMail.jira@thor> Date: Thu, 5 Aug 2010 13:21:18 -0400 (EDT) From: "Todd Lipcon (JIRA)" To: mapreduce-issues@hadoop.apache.org Subject: [jira] Commented: (MAPREDUCE-1994) Linux task-controller determines its own path insecurely In-Reply-To: <1230929.168871280961737334.JavaMail.jira@thor> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/MAPREDUCE-1994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12895743#action_12895743 ] Todd Lipcon commented on MAPREDUCE-1994: ---------------------------------------- Yea, sorry, HADOOP_CONF_DIR - the code is a bit messy as it actually detects HADOOP_HOME and then appends conf/ later... working on a patch that cleans this code up as well. bq. It is documented to set permissions on task-controller to be as strict as "6050 root mapred". That should avoid creating hard links to the binary, no? I believe you're allowed to make hard links to other files regardless of their permissions. If it were kept in a directory with strict permissions, that would help the issue a little bit. bq. Just curious, an example of argv[0] spoof? perl -e 'exec { "/real/path/to/task-controller" } "fake-argv[0]", "normal", "args", "...";' There isn't really an obvious exploit here since task-controller is supposed to be set with permissions so that the normal user can't run it. But if it's misconfigured, the attacker can likely evade the check for that misconfiguration by something like this, so it's worth fixing. > Linux task-controller determines its own path insecurely > -------------------------------------------------------- > > Key: MAPREDUCE-1994 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1994 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security, task-controller > Affects Versions: 0.22.0 > Reporter: Todd Lipcon > Assignee: Todd Lipcon > Priority: Critical > > The task-controller uses argv[0] to determine its own path, and then calls stat() on that. Instead it should stat("/proc/self/exe") directly. This is important since argv[0] can be spoofed to point to another program and thus either fool the autodetection of HADOOP_HOME or evade various permissions checks. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.