[jira] [Commented] (YARN-11231) FSDownload set wrong permission in destinationTmp
[ https://issues.apache.org/jira/browse/YARN-11231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17667205#comment-17667205 ] Zhang Dongsheng commented on YARN-11231: Hi [~cnauroth] . Thanks for your notice here. I think your are right, so I close PR [4629|https://github.com/apache/hadoop/pull/4629]. > FSDownload set wrong permission in destinationTmp > - > > Key: YARN-11231 > URL: https://issues.apache.org/jira/browse/YARN-11231 > Project: Hadoop YARN > Issue Type: Bug > Components: yarn >Reporter: Zhang Dongsheng >Assignee: Zhang Dongsheng >Priority: Major > Labels: pull-request-available > Time Spent: 20m > Remaining Estimate: 0h > > FSDownload calls createDir in the call method to create the destinationTmp > directory, which is later used as the parent directory to create the > directory dFinal, which is used in doAs to perform operations such as path > creation and path traversal. doAs cannot determine the user's identity, so > there is a problem with setting 755 permissions for destinationTmp here, I > think it should be set to 777 permissions here. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-11231) FSDownload set wrong permission in destinationTmp
[ https://issues.apache.org/jira/browse/YARN-11231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17655278#comment-17655278 ] ASF GitHub Bot commented on YARN-11231: --- skysiders closed pull request #4629: YARN-11231 modify destinationTmp permission from 755 to 777 URL: https://github.com/apache/hadoop/pull/4629 > FSDownload set wrong permission in destinationTmp > - > > Key: YARN-11231 > URL: https://issues.apache.org/jira/browse/YARN-11231 > Project: Hadoop YARN > Issue Type: Bug > Components: yarn >Reporter: Zhang Dongsheng >Priority: Major > Labels: pull-request-available > Time Spent: 20m > Remaining Estimate: 0h > > FSDownload calls createDir in the call method to create the destinationTmp > directory, which is later used as the parent directory to create the > directory dFinal, which is used in doAs to perform operations such as path > creation and path traversal. doAs cannot determine the user's identity, so > there is a problem with setting 755 permissions for destinationTmp here, I > think it should be set to 777 permissions here. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-11231) FSDownload set wrong permission in destinationTmp
[ https://issues.apache.org/jira/browse/YARN-11231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17572042#comment-17572042 ] Chris Nauroth commented on YARN-11231: -- 777 is generally a very dangerous thing. This seems like it would open security risks of other users writing into the submitter's directories. Can you provide more details about the problem and how 777 solves it? In an unsecured cluster, this all runs as the yarn user, so I don't see how there would be a problem there. In a Kerberos secured cluster, resource localization runs as the submitting user, which should be granted access with 755. Is there something unique in your configuration that causes a conflict? > FSDownload set wrong permission in destinationTmp > - > > Key: YARN-11231 > URL: https://issues.apache.org/jira/browse/YARN-11231 > Project: Hadoop YARN > Issue Type: Bug > Components: yarn >Reporter: Zhang Dongsheng >Priority: Major > Labels: pull-request-available > Time Spent: 20m > Remaining Estimate: 0h > > FSDownload calls createDir in the call method to create the destinationTmp > directory, which is later used as the parent directory to create the > directory dFinal, which is used in doAs to perform operations such as path > creation and path traversal. doAs cannot determine the user's identity, so > there is a problem with setting 755 permissions for destinationTmp here, I > think it should be set to 777 permissions here. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
