From yarn-issues-return-134598-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org Wed Jan 10 23:44:06 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id B329118072F for ; Wed, 10 Jan 2018 23:44:06 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id A1E1F160C2E; Wed, 10 Jan 2018 22:44:06 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id E7E96160C1E for ; Wed, 10 Jan 2018 23:44:05 +0100 (CET) Received: (qmail 54478 invoked by uid 500); 10 Jan 2018 22:44:05 -0000 Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list yarn-issues@hadoop.apache.org Received: (qmail 54360 invoked by uid 99); 10 Jan 2018 22:44:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Jan 2018 22:44:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 6AC091A0BC2 for ; Wed, 10 Jan 2018 22:44:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.711 X-Spam-Level: X-Spam-Status: No, score=-100.711 tagged_above=-999 required=6.31 tests=[RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id MyuX6qL_274S for ; Wed, 10 Jan 2018 22:44:03 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 6AACB5FBA2 for ; Wed, 10 Jan 2018 22:44:02 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 1934BE25A5 for ; Wed, 10 Jan 2018 22:44:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 70077274DC for ; Wed, 10 Jan 2018 22:44:00 +0000 (UTC) Date: Wed, 10 Jan 2018 22:44:00 +0000 (UTC) From: "Miklos Szegedi (JIRA)" To: yarn-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (YARN-7590) Improve container-executor validation check MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16321274#comment-16321274 ] Miklos Szegedi commented on YARN-7590: -------------------------------------- [~eyang], I figured it out. {code} char *local_path = "target"; {code} This path is incomplete. We should use {{TEST_ROOT "target"}} to follow the standard (see the function above this line) and let's do an mkdirs() to make sure it exists and the test can be run from any directory. That caused the failure on my test machine. > Improve container-executor validation check > ------------------------------------------- > > Key: YARN-7590 > URL: https://issues.apache.org/jira/browse/YARN-7590 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, yarn > Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.8.1, 3.0.0-beta1 > Reporter: Eric Yang > Assignee: Eric Yang > Attachments: YARN-7590.001.patch, YARN-7590.002.patch, YARN-7590.003.patch, YARN-7590.004.patch, YARN-7590.005.patch, YARN-7590.006.patch, YARN-7590.007.patch, YARN-7590.008.patch > > > There is minimum check for prefix path for container-executor. If YARN is compromised, attacker can use container-executor to change system files ownership: > {code} > /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens /home/spark / ls > {code} > This will change /etc to be owned by spark user: > {code} > # ls -ld /etc > drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc > {code} > Spark user can rewrite /etc files to gain more access. We can improve this with additional check in container-executor: > # Make sure the prefix path is owned by the same user as the caller to container-executor. > # Make sure the log directory prefix is owned by the same user as the caller. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: yarn-issues-help@hadoop.apache.org