hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7590) Improve container-executor validation check
Date Fri, 01 Dec 2017 18:03:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16274708#comment-16274708

Eric Yang commented on YARN-7590:

There is currently two proposals to address this issue:

h3. Proposals

# Container executor should link to a C based XML parser to get local directories from yarn-site.xml.
#  Add configuration to container executor config for local directories for container executor
to verify allowed prefix path.  

h3. Obstacle

If we choose option 1, expat and libxml2 are license compatible libraries for this purpose.
 However, both parsers had security vulnerability as well that allow hijack of doctype to
connect to remote server for DTD validation.  The implementation must disable remote schema

If we choose option 2, this design was originally proposed 6+ years ago, but implementation
was lost in MAPREDUCE-2413.  If we put the duplicated properties on separate files, then it
is likely to get lost during code optimization again.  I recommend to avoid this path.

> Improve container-executor validation check
> -------------------------------------------
>                 Key: YARN-7590
>                 URL: https://issues.apache.org/jira/browse/YARN-7590
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: security, yarn
>            Reporter: Eric Yang
> There is minimum check for prefix path for container-executor.  If YARN is compromised,
attacker  can use container-executor to change system files ownership:
> {code}
> /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens /home/spark
/ ls
> {code}
> This will change /etc to be owned by spark user:
> {code}
> # ls -ld /etc
> drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc
> {code}
> Spark user can rewrite /etc files to gain more access.  We can improve this with additional
check in container-executor:
> # Make sure the prefix path is same as the one in yarn-site.xml, and yarn-site.xml is
owned by root, 644, and marked as final in property.
> # Make sure the user path is not a symlink, usercache is not a symlink.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message