[
https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16275142#comment-16275142
]
Miklos Szegedi commented on YARN-7590:
--------------------------------------
I have two more options:
3. Instead of getting a prefix path from container-executor.cfg and/or
yarn-site.xml you could check, if yarn has permissions to the desired path and
all its parents. There is no need to check either of the config files in this
case, so this would be the simplest change.
4. Disallow disruptive changes: check, if container-executor is about to chmod
an existing directory with incompatible permissions and disallow it.
I am in favor of 2. or 3.
There are multiple reasons why currently it is not a good idea to call out to
yarn-site.xml from container-executor (Option 1.):
1. XML parsing may add yet another library that increases the attack surface
2. You need to make sure (--checksetup) that the XML has the right permissions
3. CLASSPATH is not inherited, so it may pick up a different yarn-site.xml than
what the node manager uses
4. Potentially breaking change: requiring yarn-site.xml parents writable only
by root
5. Potentially breaking change: non-root users can no longer modify
yarn-site.xml settings
I am all in favor of simple configuration provided by option 1., but at this
time I would suggest having a separate config line in container-executor.cfg
(option 2.) or option 3.. A future compatibility breaking JIRA can merge the
two config files properly implementing proper rights checks. container-executor
could give a proper error message in case of option 2., so that the admin can
update the directories in case of a failure.
> Improve container-executor validation check
> -------------------------------------------
>
> Key: YARN-7590
> URL: https://issues.apache.org/jira/browse/YARN-7590
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: security, yarn
> Reporter: Eric Yang
>
> There is minimum check for prefix path for container-executor. If YARN is
> compromised, attacker can use container-executor to change system files
> ownership:
> {code}
> /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens
> /home/spark / ls
> {code}
> This will change /etc to be owned by spark user:
> {code}
> # ls -ld /etc
> drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc
> {code}
> Spark user can rewrite /etc files to gain more access. We can improve this
> with additional check in container-executor:
> # Make sure the prefix path is same as the one in yarn-site.xml, and
> yarn-site.xml is owned by root, 644, and marked as final in property.
> # Make sure the user path is not a symlink, usercache is not a symlink.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
