[jira] [Comment Edited] (MESOS-6953) A compromised mesos-Master can execute code as root on agents.

Thu, 19 Jan 2017 12:28:23 -0800 

    [ 
https://issues.apache.org/jira/browse/MESOS-6953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15830550#comment-15830550
 ] 

Anindya Sinha edited comment on MESOS-6953 at 1/19/17 8:27 PM:
---------------------------------------------------------------

To mitigate this, we can add an optional arg in mesos-agent called 
{{whitelisted-users}} which is a list of users who are authorized to run tasks 
on the agent.
If this list contains the task user or if this list is empty (or the arg is 
missing), we allow the task to be launched on the agent. Otherwise, agent shall 
not let the task be launched, and send a {{TASK_FAILED}} StatusUpdate with a 
new {{Reason}} denoting that the user is not authorized to run the task.


was (Author: anindya.sinha):
To mitigate this, we can add an optional arg in mesos-agent called 
`whitelisted-users` which is a list of users who are authorized to run tasks on 
the agent.
If this list contains the task user or if this list is empty (or the arg is 
missing), we allow the task to be launched on the agent. Otherwise, agent shall 
not let the task be launched, and send a `TASK_FAILED` StatusUpdate with a new 
`Reason` denoting that the user is not authorized to run the task.

> A compromised mesos-Master can execute code as root on agents.
> --------------------------------------------------------------
>
>                 Key: MESOS-6953
>                 URL: https://issues.apache.org/jira/browse/MESOS-6953
>             Project: Mesos
>          Issue Type: Bug
>          Components: security
>            Reporter: Anindya Sinha
>            Assignee: Anindya Sinha
>              Labels: security, slave
>
> mesos-master has a `--[no-]root_submissions` flag that controls whether 
> frameworks with `root` user are admitted to the cluster.
> However, if a mesos-master node is compromised, it can attempt to schedule 
> tasks on agent as the `root` user. Since mesos-agent has no check against 
> tasks running on the agent for specific users, tasks can get run with `root` 
> privileges can get run within the container on the agent.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to