Secure local filesystem IO from symlink vulnerabilities -------------------------------------------------------
Key: MAPREDUCE-2096 URL: https://issues.apache.org/jira/browse/MAPREDUCE-2096 Project: Hadoop Map/Reduce Issue Type: Bug Components: jobtracker, security, tasktracker Affects Versions: 0.22.0 Reporter: Todd Lipcon Assignee: Todd Lipcon Priority: Blocker This JIRA is to contribute a patch developed on the private security@ mailing list. The vulnerability is that MR daemons occasionally open files that are located in a path where the user has write access. A malicious user may place a symlink in place of the expected file in order to cause the daemon to instead read another file on the system -- one which the attacker may not naturally be able to access. This includes delegation tokens belong to other users, log files, keytabs, etc. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.