mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anindya Sinha (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (MESOS-6953) A compromised mesos-master node can execute code as root on agents.
Date Mon, 23 Jan 2017 04:52:26 GMT

    [ https://issues.apache.org/jira/browse/MESOS-6953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15830550#comment-15830550
] 

Anindya Sinha edited comment on MESOS-6953 at 1/23/17 4:52 AM:
---------------------------------------------------------------

To address this, we should add support for {{run_tasks}} in the {{acls}} parameter in the
mesos agent's startup args to indicate list of users who are authorized to run tasks on the
agent.
If this list contains the task user or if this list is empty (or the arg is missing), we allow
the task to be launched on the agent. Otherwise, agent shall not let the task be launched,
and send a {{TASK_FAILED}} StatusUpdate with either {{REASON_TASK_UNAUTHORIZED}} (for a task)
or {{REASON_TASK_GROUP_UNAUTHORIZED}} (for a task group) denoting that the user is not authorized
to run the task or task group.



was (Author: anindya.sinha):
To mitigate this, we can add an optional arg in mesos-agent called {{whitelisted_users}} which
is a list of users who are authorized to run tasks on the agent.
If this list contains the task user or if this list is empty (or the arg is missing), we allow
the task to be launched on the agent. Otherwise, agent shall not let the task be launched,
and send a {{TASK_FAILED}} StatusUpdate with a new {{Reason}} denoting that the user is not
authorized to run the task.

> A compromised mesos-master node can execute code as root on agents.
> -------------------------------------------------------------------
>
>                 Key: MESOS-6953
>                 URL: https://issues.apache.org/jira/browse/MESOS-6953
>             Project: Mesos
>          Issue Type: Bug
>          Components: security
>            Reporter: Anindya Sinha
>            Assignee: Anindya Sinha
>              Labels: security, slave
>
> mesos-master has a `--[no-]root_submissions` flag that controls whether frameworks with
`root` user are admitted to the cluster.
> However, if a mesos-master node is compromised, it can attempt to schedule tasks on agent
as the `root` user. Since mesos-agent has no check against tasks running on the agent for
specific users, tasks can get run with `root` privileges can get run within the container
on the agent.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message