[ https://issues.apache.org/jira/browse/MAPREDUCE-2096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12975957#action_12975957 ]
Todd Lipcon commented on MAPREDUCE-2096: ---------------------------------------- Results on mapreduce-2096.2.txt: [exec] +1 overall. [exec] [exec] +1 @author. The patch does not contain any @author tags. [exec] [exec] +1 tests included. The patch appears to include 3 new or modified tests. [exec] [exec] +1 javadoc. The javadoc tool did not generate any warning messages. [exec] [exec] +1 javac. The applied patch does not increase the total number of javac compiler warnings. [exec] [exec] +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. [exec] [exec] +1 release audit. The applied patch does not increase the total number of release audit warnings. [exec] [exec] +1 system test framework. The patch passed system test framework compile. Unit tests pass except for the known timeouts from trunk. > Secure local filesystem IO from symlink vulnerabilities > ------------------------------------------------------- > > Key: MAPREDUCE-2096 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-2096 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: jobtracker, security, tasktracker > Affects Versions: 0.22.0 > Reporter: Todd Lipcon > Assignee: Todd Lipcon > Priority: Blocker > Fix For: 0.22.0 > > Attachments: mapreduce-2096-index-oob.txt, mapreduce-2096.2.txt, > mapreduce-2096.txt, secure-files-9.txt, secure-files-authorized-jvm-fix.txt > > > This JIRA is to contribute a patch developed on the private security@ mailing > list. > The vulnerability is that MR daemons occasionally open files that are located > in a path where the user has write access. A malicious user may place a > symlink in place of the expected file in order to cause the daemon to instead > read another file on the system -- one which the attacker may not naturally > be able to access. This includes delegation tokens belong to other users, log > files, keytabs, etc. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.