hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Omkar Vinit Joshi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-578) NodeManager should use SecureIOUtils for serving logs and intermediate outputs
Date Fri, 26 Apr 2013 02:30:16 GMT

    [ https://issues.apache.org/jira/browse/YARN-578?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13642524#comment-13642524
] 

Omkar Vinit Joshi commented on YARN-578:
----------------------------------------

There are 3 issues related to symlink attacks in serving logs and ShuffleService
* Index file (file.out.index) :- [Location - SpillRecord.SpillRecord() - FSDataInputStream
] Here we are directly trying to read from file.out.index file (So the potential problem is
that we ShuffleHandler may end up reading files of yarn user or yarn group user. [ yarn:yarn
is running nodemanager ]
* Map output file (file.out) :- [Location - ShuffleHandler.sendMapOutput() - RandomAccessFile
] Here too we are directly accessing file.out file.
* Container Logs :- [Location - ContainerLogsPage.printLogs() - FileInputStream ] Here we
are directly accessing container logs as yarn:yarn user.

At present SecureIOUtils supports only FileInputStream, so I am adding support for 2 more
streams, FSDataInputStream (This is required if you want a stream to be position readable
or seekable) and RandomAccessFile. Filing a separate JIRA for this. HADOOP-9511
                
> NodeManager should use SecureIOUtils for serving logs and intermediate outputs
> ------------------------------------------------------------------------------
>
>                 Key: YARN-578
>                 URL: https://issues.apache.org/jira/browse/YARN-578
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: nodemanager
>            Reporter: Vinod Kumar Vavilapalli
>            Assignee: Omkar Vinit Joshi
>
> Log servlets for serving logs and the ShuffleService for serving intermediate outputs
both should use SecureIOUtils for avoiding symlink attacks.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message