[ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16275142#comment-16275142 ]
Miklos Szegedi commented on YARN-7590: -------------------------------------- I have two more options: 3. Instead of getting a prefix path from container-executor.cfg and/or yarn-site.xml you could check, if yarn has permissions to the desired path and all its parents. There is no need to check either of the config files in this case, so this would be the simplest change. 4. Disallow disruptive changes: check, if container-executor is about to chmod an existing directory with incompatible permissions and disallow it. I am in favor of 2. or 3. There are multiple reasons why currently it is not a good idea to call out to yarn-site.xml from container-executor (Option 1.): 1. XML parsing may add yet another library that increases the attack surface 2. You need to make sure (--checksetup) that the XML has the right permissions 3. CLASSPATH is not inherited, so it may pick up a different yarn-site.xml than what the node manager uses 4. Potentially breaking change: requiring yarn-site.xml parents writable only by root 5. Potentially breaking change: non-root users can no longer modify yarn-site.xml settings I am all in favor of simple configuration provided by option 1., but at this time I would suggest having a separate config line in container-executor.cfg (option 2.) or option 3.. A future compatibility breaking JIRA can merge the two config files properly implementing proper rights checks. container-executor could give a proper error message in case of option 2., so that the admin can update the directories in case of a failure. > Improve container-executor validation check > ------------------------------------------- > > Key: YARN-7590 > URL: https://issues.apache.org/jira/browse/YARN-7590 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, yarn > Reporter: Eric Yang > > There is minimum check for prefix path for container-executor. If YARN is > compromised, attacker can use container-executor to change system files > ownership: > {code} > /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens > /home/spark / ls > {code} > This will change /etc to be owned by spark user: > {code} > # ls -ld /etc > drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc > {code} > Spark user can rewrite /etc files to gain more access. We can improve this > with additional check in container-executor: > # Make sure the prefix path is same as the one in yarn-site.xml, and > yarn-site.xml is owned by root, 644, and marked as final in property. > # Make sure the user path is not a symlink, usercache is not a symlink. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org