[ https://issues.apache.org/jira/browse/MAPREDUCE-2096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12929892#action_12929892 ]
Todd Lipcon commented on MAPREDUCE-2096: ---------------------------------------- Does anyone have a suggestion on how to get common's native library build onto mapreduce's library path post-split? It seems we should be publishing a tarball of common/build/native into maven, and then retrieving it with ivy from mapreduce, perhaps? Does anyone have a better idea or should I open a JIRA to publish the native build as an artifact? > Secure local filesystem IO from symlink vulnerabilities > ------------------------------------------------------- > > Key: MAPREDUCE-2096 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-2096 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: jobtracker, security, tasktracker > Affects Versions: 0.22.0 > Reporter: Todd Lipcon > Assignee: Todd Lipcon > Priority: Blocker > Attachments: mapreduce-2096-index-oob.txt, secure-files-9.txt, > secure-files-authorized-jvm-fix.txt > > > This JIRA is to contribute a patch developed on the private security@ mailing > list. > The vulnerability is that MR daemons occasionally open files that are located > in a path where the user has write access. A malicious user may place a > symlink in place of the expected file in order to cause the daemon to instead > read another file on the system -- one which the attacker may not naturally > be able to access. This includes delegation tokens belong to other users, log > files, keytabs, etc. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.