[ https://issues.apache.org/jira/browse/YARN-6623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16181845#comment-16181845 ]
Eric Yang commented on YARN-6623: --------------------------------- [~wangda] How does a non-privileged user acquire excessive permission by executing c-e? root:yarn is typically the owner of c-e binary. The user has to be root or yarn to run the binary. Hence, validation done by YARN user would be better than doing post validation after root privilege is acquired. One can argue that YARN user does not have access to check mount points, hence the validation needs to happen at root user level. If docker container is started for unprivileged user by using -u [uid]:[gid], Linux file system ACL still applies to process inside container. There will be no extra permission gain with mounting unauthorized path. In the previous implementation, there was no effective group id passed to docker. This was the reason that extra permission was gain through effective group. When this security hole is closed by YARN-4266, then there is no gain to shift validation logic to root user side for mount point permission validation. > Add support to turn off launching privileged containers in the > container-executor > --------------------------------------------------------------------------------- > > Key: YARN-6623 > URL: https://issues.apache.org/jira/browse/YARN-6623 > Project: Hadoop YARN > Issue Type: Sub-task > Components: nodemanager > Reporter: Varun Vasudev > Assignee: Varun Vasudev > Priority: Blocker > Attachments: YARN-6623.001.patch, YARN-6623.002.patch, > YARN-6623.003.patch, YARN-6623.004.patch, YARN-6623.005.patch, > YARN-6623.006.patch, YARN-6623.007.patch, YARN-6623.008.patch, > YARN-6623.009.patch, YARN-6623.010.patch, YARN-6623.011.patch, > YARN-6623.012.patch, YARN-6623.013.patch > > > Currently, launching privileged containers is controlled by the NM. We should > add a flag to the container-executor.cfg allowing admins to disable launching > privileged containers at the container-executor level. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org