hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Miklos Szegedi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7590) Improve container-executor validation check
Date Wed, 10 Jan 2018 22:44:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16321274#comment-16321274
] 

Miklos Szegedi commented on YARN-7590:
--------------------------------------

[~eyang], I figured it out.
{code}
  char *local_path = "target";
{code}
This path is incomplete. We should use {{TEST_ROOT "target"}} to follow the standard (see
the function above this line) and let's do an mkdirs() to make sure it exists and the test
can be run from any directory. That caused the failure on my test machine.

> Improve container-executor validation check
> -------------------------------------------
>
>                 Key: YARN-7590
>                 URL: https://issues.apache.org/jira/browse/YARN-7590
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: security, yarn
>    Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.8.1,
3.0.0-beta1
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>         Attachments: YARN-7590.001.patch, YARN-7590.002.patch, YARN-7590.003.patch, YARN-7590.004.patch,
YARN-7590.005.patch, YARN-7590.006.patch, YARN-7590.007.patch, YARN-7590.008.patch
>
>
> There is minimum check for prefix path for container-executor.  If YARN is compromised,
attacker  can use container-executor to change system files ownership:
> {code}
> /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens /home/spark
/ ls
> {code}
> This will change /etc to be owned by spark user:
> {code}
> # ls -ld /etc
> drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc
> {code}
> Spark user can rewrite /etc files to gain more access.  We can improve this with additional
check in container-executor:
> # Make sure the prefix path is owned by the same user as the caller to container-executor.
> # Make sure the log directory prefix is owned by the same user as the caller.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message