mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gilbert Song <songzihao1...@gmail.com>
Subject Re: Review Request 50200: Made the agent fetch files as the task user.
Date Tue, 19 Jul 2016 20:58:39 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/50200/#review142833
-----------------------------------------------------------




src/launcher/fetcher.cpp (lines 519 - 525)
<https://reviews.apache.org/r/50200/#comment208505>

    An open discussion:
    
    After looking at os::chown(), we should not only change the file owner, but also the groups.
So only get and set the uid looks insufficient to me. We should consider to do the same to
the gid and the supplimentary groups (please look at /mesos/launch.cpp for examples).


- Gilbert Song


On July 19, 2016, 1:53 p.m., Greg Mann wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/50200/
> -----------------------------------------------------------
> 
> (Updated July 19, 2016, 1:53 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, and Joerg Schad.
> 
> 
> Bugs: mesos-5845
>     https://issues.apache.org/jira/browse/mesos-5845
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> To ensure that a task cannot fetch root-protected
> files from the local filesystem when running as a
> non-root user, this patch changes the fetcher to
> fetch files as the task user.
> 
> 
> Diffs
> -----
> 
>   src/launcher/fetcher.cpp 0539b0182bd4a7178f103dddd1ab4fee8fc79eda 
>   src/tests/fetcher_tests.cpp d38ce6e750dc828ef5af4a27fac76327cc4cb56c 
> 
> Diff: https://reviews.apache.org/r/50200/diff/
> 
> 
> Testing
> -------
> 
> A new test was added to the fetcher tests: `FetcherTest.ROOT_RootProtectedFileURI`.
> 
> `sudo make check` was used to test on both OSX and CentOS 7.
> 
> Note that two of the fetcher tests fail for me when run as root on OSX. I saw the following
on my OSX 10.10.5 system:
> ```
> [  FAILED  ] FetcherCacheTest.LocalUncachedExtract
> [  FAILED  ] FetcherCacheHttpTest.HttpMixed
> ```
> 
> These failures are already tracked here: https://issues.apache.org/jira/browse/MESOS-4890
> 
> 
> Thanks,
> 
> Greg Mann
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message