Secure local filesystem IO from symlink vulnerabilities
-------------------------------------------------------
Key: MAPREDUCE-2096
URL: https://issues.apache.org/jira/browse/MAPREDUCE-2096
Project: Hadoop Map/Reduce
Issue Type: Bug
Components: jobtracker, security, tasktracker
Affects Versions: 0.22.0
Reporter: Todd Lipcon
Assignee: Todd Lipcon
Priority: Blocker
This JIRA is to contribute a patch developed on the private security@ mailing
list.
The vulnerability is that MR daemons occasionally open files that are located
in a path where the user has write access. A malicious user may place a symlink
in place of the expected file in order to cause the daemon to instead read
another file on the system -- one which the attacker may not naturally be able
to access. This includes delegation tokens belong to other users, log files,
keytabs, etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
