hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-7430) User and Group mapping are incorrect in docker container
Date Thu, 09 Nov 2017 00:14:01 GMT

    [ https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244970#comment-16244970
] 

Eric Yang edited comment on YARN-7430 at 11/9/17 12:13 AM:
-----------------------------------------------------------

[~ebadger] They are two separate problems.  A lot of conversation here belongs to YARN-7446.
 This issue is to tackle the problem that we have a implicit privilege escalation security
hole in the default shipped configuration when the following condition is met:

# Privileged container is enabled.
# Deploy docker container with user mapping to a different uid:gid than host OS, or using
a numeric username to launch app.
# Data output from container is written as someone else or with root group ownership.

In summary, to prevent privileges escalation, we should always pass in primary group to improve
security.



was (Author: eyang):
[~ebadger] They are two separate problems.  A lot of conversation here belongs to YARN-7446.
 This issue is to tackle the problem that we have a implicit privilege escalation security
hole in the default shipped configuration when the following condition is met:

# Privileged container is enabled.
# Deploy docker container with user mapping to a different uid:gid than host OS, or using
a numeric username to launch app.
# Data output from container is written with as someone else or root group.

In summary, to prevent privileges escalation, we should always pass in primary group to improve
security.


> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
>                 Key: YARN-7430
>                 URL: https://issues.apache.org/jira/browse/YARN-7430
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security, yarn
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Blocker
>         Attachments: YARN-7430.001.patch
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to enforce
user and group for the running user.  In YARN-6623, this translated to --user=test --group-add=group1.
 The code no longer enforce group correctly for launched process.  
> In addition, the implementation in YARN-6623 requires the user and group information
to exist in container to translate username and group to uid/gid.  For users on LDAP, there
is no good way to populate container with user and group information. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message