[
https://issues.apache.org/jira/browse/YARN-11231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17572042#comment-17572042
]
Chris Nauroth commented on YARN-11231:
--
777 is generally a very dangerous thing. This seems like it would open security
risks of other users writing into the submitter's directories.
Can you provide more details about the problem and how 777 solves it? In an
unsecured cluster, this all runs as the yarn user, so I don't see how there
would be a problem there. In a Kerberos secured cluster, resource localization
runs as the submitting user, which should be granted access with 755. Is there
something unique in your configuration that causes a conflict?
> FSDownload set wrong permission in destinationTmp
> -
>
> Key: YARN-11231
> URL: https://issues.apache.org/jira/browse/YARN-11231
> Project: Hadoop YARN
> Issue Type: Bug
> Components: yarn
>Reporter: Zhang Dongsheng
>Priority: Major
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> FSDownload calls createDir in the call method to create the destinationTmp
> directory, which is later used as the parent directory to create the
> directory dFinal, which is used in doAs to perform operations such as path
> creation and path traversal. doAs cannot determine the user's identity, so
> there is a problem with setting 755 permissions for destinationTmp here, I
> think it should be set to 777 permissions here.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
