[ https://issues.apache.org/jira/browse/MAPREDUCE-2096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12970376#action_12970376 ]
Devaraj Das commented on MAPREDUCE-2096: ---------------------------------------- Patch looks fine. Todd, could you please get back with the results from running the full test suite + test-patch. > Secure local filesystem IO from symlink vulnerabilities > ------------------------------------------------------- > > Key: MAPREDUCE-2096 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-2096 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: jobtracker, security, tasktracker > Affects Versions: 0.22.0 > Reporter: Todd Lipcon > Assignee: Todd Lipcon > Priority: Blocker > Fix For: 0.22.0 > > Attachments: mapreduce-2096-index-oob.txt, mapreduce-2096.txt, > secure-files-9.txt, secure-files-authorized-jvm-fix.txt > > > This JIRA is to contribute a patch developed on the private security@ mailing > list. > The vulnerability is that MR daemons occasionally open files that are located > in a path where the user has write access. A malicious user may place a > symlink in place of the expected file in order to cause the daemon to instead > read another file on the system -- one which the attacker may not naturally > be able to access. This includes delegation tokens belong to other users, log > files, keytabs, etc. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.