[jira] Commented: (MAPREDUCE-1994) Linux task-controller determines its own path insecurely
[ https://issues.apache.org/jira/browse/MAPREDUCE-1994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12896203#action_12896203 ] Todd Lipcon commented on MAPREDUCE-1994: Oops, missed your comment, sorry! bq. Secure permissions on this file are really really important and are validated by the binary itself anyways. Yep, the issue here is that if the admin has messed up and has an incorrectly configured task-controller floating around, the user can evade those checks and then use it for ill purposes. It's not too likely of a scenario, which is why I raised this here instead of secur...@. What I imagine happening is someone configuring task-controller incorrectly, trying to enable it in the config, and it not working. Rather than debug the issue, they switch back to the normal task controller and leave the setuid binary hanging around. With the permissions checks, the scenario is safe, but without, the sysadmin has opened a big hole :) > Linux task-controller determines its own path insecurely > > > Key: MAPREDUCE-1994 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1994 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security, task-controller >Affects Versions: 0.22.0 >Reporter: Todd Lipcon >Assignee: Todd Lipcon >Priority: Critical > Attachments: mapreduce-1994-prelim.txt > > > The task-controller uses argv[0] to determine its own path, and then calls > stat() on that. Instead it should stat("/proc/self/exe") directly. This is > important since argv[0] can be spoofed to point to another program and thus > either fool the autodetection of HADOOP_HOME or evade various permissions > checks. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1994) Linux task-controller determines its own path insecurely
[ https://issues.apache.org/jira/browse/MAPREDUCE-1994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12895999#action_12895999 ] Vinod K V commented on MAPREDUCE-1994: -- bq. I believe you're allowed to make hard links to other files regardless of their permissions. If it were kept in a directory with strict permissions, that would help the issue a little bit. I actually meant that even though an attacker can create hard-links, he/she cannot run it because of the strict permissions. Secure permissions on this file are really really important and are validated by the binary itself anyways. Given that we can simply address the arv[0] spoof problem here. Is that fine? > Linux task-controller determines its own path insecurely > > > Key: MAPREDUCE-1994 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1994 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security, task-controller >Affects Versions: 0.22.0 >Reporter: Todd Lipcon >Assignee: Todd Lipcon >Priority: Critical > > The task-controller uses argv[0] to determine its own path, and then calls > stat() on that. Instead it should stat("/proc/self/exe") directly. This is > important since argv[0] can be spoofed to point to another program and thus > either fool the autodetection of HADOOP_HOME or evade various permissions > checks. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1994) Linux task-controller determines its own path insecurely
[ https://issues.apache.org/jira/browse/MAPREDUCE-1994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12895743#action_12895743 ] Todd Lipcon commented on MAPREDUCE-1994: Yea, sorry, HADOOP_CONF_DIR - the code is a bit messy as it actually detects HADOOP_HOME and then appends conf/ later... working on a patch that cleans this code up as well. bq. It is documented to set permissions on task-controller to be as strict as "6050 root mapred". That should avoid creating hard links to the binary, no? I believe you're allowed to make hard links to other files regardless of their permissions. If it were kept in a directory with strict permissions, that would help the issue a little bit. bq. Just curious, an example of argv[0] spoof? perl -e 'exec { "/real/path/to/task-controller" } "fake-argv[0]", "normal", "args", "...";' There isn't really an obvious exploit here since task-controller is supposed to be set with permissions so that the normal user can't run it. But if it's misconfigured, the attacker can likely evade the check for that misconfiguration by something like this, so it's worth fixing. > Linux task-controller determines its own path insecurely > > > Key: MAPREDUCE-1994 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1994 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security, task-controller >Affects Versions: 0.22.0 >Reporter: Todd Lipcon >Assignee: Todd Lipcon >Priority: Critical > > The task-controller uses argv[0] to determine its own path, and then calls > stat() on that. Instead it should stat("/proc/self/exe") directly. This is > important since argv[0] can be spoofed to point to another program and thus > either fool the autodetection of HADOOP_HOME or evade various permissions > checks. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1994) Linux task-controller determines its own path insecurely
[ https://issues.apache.org/jira/browse/MAPREDUCE-1994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12895565#action_12895565 ] Vinod K V commented on MAPREDUCE-1994: -- I think you meant HADOOP_CONF_DIR. It is documented to set permissions on task-controller to be as strict as "6050 root mapred". That should avoid creating hard links to the binary, no? Just curious, an example of argv[0] spoof? > Linux task-controller determines its own path insecurely > > > Key: MAPREDUCE-1994 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1994 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security, task-controller >Affects Versions: 0.22.0 >Reporter: Todd Lipcon >Assignee: Todd Lipcon >Priority: Critical > > The task-controller uses argv[0] to determine its own path, and then calls > stat() on that. Instead it should stat("/proc/self/exe") directly. This is > important since argv[0] can be spoofed to point to another program and thus > either fool the autodetection of HADOOP_HOME or evade various permissions > checks. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1994) Linux task-controller determines its own path insecurely
[ https://issues.apache.org/jira/browse/MAPREDUCE-1994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12895458#action_12895458 ] Todd Lipcon commented on MAPREDUCE-1994: Using its own path in order to detect HADOOP_HOME is probably still insecure, though, since an attacker can hard link the task-controller into their own location. We should probably check that the HADOOP_HOME directory and the config file that it finds both have the same group ID as the task-controller itself, and are not world-writable. > Linux task-controller determines its own path insecurely > > > Key: MAPREDUCE-1994 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1994 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security, task-controller >Affects Versions: 0.22.0 >Reporter: Todd Lipcon >Priority: Critical > > The task-controller uses argv[0] to determine its own path, and then calls > stat() on that. Instead it should stat("/proc/self/exe") directly. This is > important since argv[0] can be spoofed to point to another program and thus > either fool the autodetection of HADOOP_HOME or evade various permissions > checks. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.