hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Lowe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7221) Add security check for privileged docker container
Date Tue, 03 Apr 2018 22:17:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16424688#comment-16424688

Jason Lowe commented on YARN-7221:

Thanks for updating the patch!

The groups variable needs to be initialized to NULL otherwise we will try to free an uninitialized
value if getgrouplist returns 0.  The compiler is also warning about the uninitialized use
in the getgrouplist calls because it doesn't know the semantics of that function.

Nit: The second getgrouplist call should be within the rc < 0 block since it doesn't help
to call it again if we didn't allocate a group buffer (i.e.: it returned 0 the first time).

The cetest "User test does not exist in host OS" failure still needs to be addressed.

> Add security check for privileged docker container
> --------------------------------------------------
>                 Key: YARN-7221
>                 URL: https://issues.apache.org/jira/browse/YARN-7221
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 3.0.0, 3.1.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>         Attachments: YARN-7221.001.patch, YARN-7221.002.patch, YARN-7221.003.patch, YARN-7221.004.patch,
YARN-7221.005.patch, YARN-7221.006.patch, YARN-7221.007.patch, YARN-7221.008.patch, YARN-7221.009.patch,
YARN-7221.010.patch, YARN-7221.011.patch, YARN-7221.012.patch, YARN-7221.013.patch, YARN-7221.014.patch,
> When a docker is running with privileges, majority of the use case is to have some program
running with root then drop privileges to another user.  i.e. httpd to start with privileged
and bind to port 80, then drop privileges to www user.  
> # We should add security check for submitting users, to verify they have "sudo" access
to run privileged container.  
> # We should remove --user=uid:gid for privileged containers.  
> Docker can be launched with --privileged=true, and --user=uid:gid flag.  With this parameter
combinations, user will not have access to become root user.  All docker exec command will
be drop to uid:gid user to run instead of granting privileges.  User can gain root privileges
if container file system contains files that give user extra power, but this type of image
is considered as dangerous.  Non-privileged user can launch container with special bits to
acquire same level of root power.  Hence, we lose control of which image should be run with
--privileges, and who have sudo rights to use privileged container images.  As the result,
we should check for sudo access then decide to parameterize --privileged=true OR --user=uid:gid.
 This will avoid leading developer down the wrong path.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message