[jira] [Commented] (SPARK-43369) Address comments about /etc/pam.d/su
[ https://issues.apache.org/jira/browse/SPARK-43369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17728207#comment-17728207 ] Yikun Jiang commented on SPARK-43369: - This might not a issue according to https://github.com/docker-library/official-images/pull/13089#issuecomment-1561793792 ``` Yeah, it is extra, but harmless. A stronger guarantee to prevent privilege escalation would be in recommending that users set --security-opt=no-new-privileges (or allowPrivilegeEscalation: false in Kubernetes). ``` > Address comments about /etc/pam.d/su > > > Key: SPARK-43369 > URL: https://issues.apache.org/jira/browse/SPARK-43369 > Project: Spark > Issue Type: Sub-task > Components: Spark Docker >Affects Versions: 3.5.0 >Reporter: Yikun Jiang >Priority: Minor > > echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su && > I am unsure what this is for? 😕 As far as I can tell, this means that only > members of the administrative group wheel (or 0 if there is no wheel) can > switch to another user using the su command. That might make sense on a > regular multi-user system, but I am unsure why it would matter for a > container. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-43369) Address comments about /etc/pam.d/su
[ https://issues.apache.org/jira/browse/SPARK-43369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17727144#comment-17727144 ] Sean R. Owen commented on SPARK-43369: -- What is the issue here? > Address comments about /etc/pam.d/su > > > Key: SPARK-43369 > URL: https://issues.apache.org/jira/browse/SPARK-43369 > Project: Spark > Issue Type: Sub-task > Components: Spark Docker >Affects Versions: 3.5.0 >Reporter: Yikun Jiang >Priority: Minor > > echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su && > I am unsure what this is for? 😕 As far as I can tell, this means that only > members of the administrative group wheel (or 0 if there is no wheel) can > switch to another user using the su command. That might make sense on a > regular multi-user system, but I am unsure why it would matter for a > container. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-43369) Address comments about /etc/pam.d/su
[ https://issues.apache.org/jira/browse/SPARK-43369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17719223#comment-17719223 ] Yikun Jiang commented on SPARK-43369: - Related original change: https://issues.apache.org/jira/browse/SPARK-25275 > Address comments about /etc/pam.d/su > > > Key: SPARK-43369 > URL: https://issues.apache.org/jira/browse/SPARK-43369 > Project: Spark > Issue Type: Sub-task > Components: Spark Docker >Affects Versions: 3.5.0 >Reporter: Yikun Jiang >Priority: Major > > echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su && > I am unsure what this is for? 😕 As far as I can tell, this means that only > members of the administrative group wheel (or 0 if there is no wheel) can > switch to another user using the su command. That might make sense on a > regular multi-user system, but I am unsure why it would matter for a > container. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
