hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Miklos Szegedi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7590) Improve container-executor validation check
Date Thu, 11 Jan 2018 04:04:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16321664#comment-16321664

Miklos Szegedi commented on YARN-7590:

[~eyang], The code I suggested above
fprintf(LOGFILE, "Error checking file stats for %s %d %s.\n", nm_root, err, strerror(err));
It should be the following:
fprintf(LOGFILE, "Error checking file stats for %s %d %s.\n", nm_root, err, strerror(errno));
This is my mistake, I apologize. Please update the patch. Also I am inclined to wait until
YARN-7705 gets checked in and update this patch to call your new function there also. What
do you think?

> Improve container-executor validation check
> -------------------------------------------
>                 Key: YARN-7590
>                 URL: https://issues.apache.org/jira/browse/YARN-7590
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: security, yarn
>    Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.8.1,
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>         Attachments: YARN-7590.001.patch, YARN-7590.002.patch, YARN-7590.003.patch, YARN-7590.004.patch,
YARN-7590.005.patch, YARN-7590.006.patch, YARN-7590.007.patch, YARN-7590.008.patch, YARN-7590.009.patch
> There is minimum check for prefix path for container-executor.  If YARN is compromised,
attacker  can use container-executor to change system files ownership:
> {code}
> /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens /home/spark
/ ls
> {code}
> This will change /etc to be owned by spark user:
> {code}
> # ls -ld /etc
> drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc
> {code}
> Spark user can rewrite /etc files to gain more access.  We can improve this with additional
check in container-executor:
> # Make sure the prefix path is owned by the same user as the caller to container-executor.
> # Make sure the log directory prefix is owned by the same user as the caller.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message