[
https://issues.apache.org/jira/browse/YARN-7197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16218663#comment-16218663
]
Eric Badger commented on YARN-7197:
-----------------------------------
bq. File system ACL is the only protection to verify uid:gid are indeed
authorized to access the included area.
If that's true, then I don't see what the black list gives us
{quote}
The black list is designed to filter out more sinister attack against the
system.
For example, system admin configures:
white-listed-read-write: /mnt/hdfs/user
black-listed: /mnt/hdfs/user/yarn,/run/docker.socket
This will prevent naughty junior developer from doing:
docker run -u yarn:yarn -it -v /mnt/hdfs/user/yarn:/tmp centos:latest bash
or
docker run -u yarn:docker -it -v /run/docker.socket:/run/docker.socket
centos:latest bash
{quote}
But there's nothing preventing the attacker from running
{noformat}
docker run -u yarn:yarn -it -v /mnt/hdfs/user:/tmp centos:latest bash
{noformat}
and then using /tmp/yarn instead of /tmp to get to /mnt/hdfs/user/yarn. Same
applies in the /run/docker.socket if /run were in the whitelist
bq. The black list feature is not designed to make a subdirectory disappear.
Docker still depends on file system acl to enforce security. This feature is
only good for blocking a certain system directories from developers to protect
host OS and Hadoop. This is also the reason that system admin keeps black list
secrets from naughty developers.
But I don't see it blocking directories at all. The user can just mount above
the blacklist and they get access to exactly what they want. This protects them
from mounting the exact path in the blacklist, but that doesn't really buy us
anything if they can mount the parent directory. If I can't prevent a
file/directory underneath the parent directory from being accessed, then I
don't see the utility of the blacklist.
> Add support for a volume blacklist for docker containers
> --------------------------------------------------------
>
> Key: YARN-7197
> URL: https://issues.apache.org/jira/browse/YARN-7197
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn
> Reporter: Shane Kumpf
> Assignee: Eric Yang
> Attachments: YARN-7197.001.patch, YARN-7197.002.patch
>
>
> Docker supports bind mounting host directories into containers. Work is
> underway to allow admins to configure a whilelist of volume mounts. While
> this is a much needed and useful feature, it opens the door for
> misconfiguration that may lead to users being able to compromise or crash the
> system.
> One example would be allowing users to mount /run from a host running
> systemd, and then running systemd in that container, rendering the host
> mostly unusable.
> This issue is to add support for a default blacklist. The default blacklist
> would be where we put files and directories that if mounted into a container,
> are likely to have negative consequences. Users are encouraged not to remove
> items from the default blacklist, but may do so if necessary.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
