hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7590) Improve container-executor validation check
Date Sat, 02 Dec 2017 00:12:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16275221#comment-16275221

Eric Yang commented on YARN-7590:

I've brought this up in the past (can't remember where) and it didn't get anywhere. I believe
there was a reason that we didn't want yarn-site.xml to be owned by root. Possibly because
it would break current deploys?

I don't think there is a hard requirement that yarn-site.xml must be owned by yarn user. 
This may have been miscommunication.  My clusters have been using root:hadoop, 644 for yarn-site.xml
for most of the past 5 years.

[~miklos.szegedi@cloudera.com] +1 on option 3.  It is smart and safe way to validate the prefix
directory with minimum amount of code change.

[~andrew.wang] This JIRA assumes YARN is compromised.  Theoretical interpretation doesn't
make this reality yet.  I don't believe this is a blocker.  Versions are set accordingly.

> Improve container-executor validation check
> -------------------------------------------
>                 Key: YARN-7590
>                 URL: https://issues.apache.org/jira/browse/YARN-7590
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: security, yarn
>            Reporter: Eric Yang
> There is minimum check for prefix path for container-executor.  If YARN is compromised,
attacker  can use container-executor to change system files ownership:
> {code}
> /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens /home/spark
/ ls
> {code}
> This will change /etc to be owned by spark user:
> {code}
> # ls -ld /etc
> drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc
> {code}
> Spark user can rewrite /etc files to gain more access.  We can improve this with additional
check in container-executor:
> # Make sure the prefix path is same as the one in yarn-site.xml, and yarn-site.xml is
owned by root, 644, and marked as final in property.
> # Make sure the user path is not a symlink, usercache is not a symlink.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message