[jira] [Commented] (YARN-7590) Improve container-executor validation check

Wed, 03 Jan 2018 16:51:36 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16310534#comment-16310534
 ] 

Miklos Szegedi commented on YARN-7590:
--------------------------------------

Thank you for the patch [~eyang]. I have two more style issues. I also verified 
the patch and it runs a basic mapreduce job and does not allow the scenario in 
the description as expected.
{code}
    fprintf(LOGFILE, "Error checking file stats for %s.\n", nm_root);
{code}
It would be very useful to have a meaningful error message like 
{{fprintf(LOGFILE, "Error checking file stats for %s %d %s.\n", nm_root, err, 
strerror(err));}}. It helps a lot to support the feature.
{code}
      if (check != 0 || strstr(container_log_dir, "..") != 0) {
{code}
Like I mentioned before, I would separate the two checks with a meaningful 
error message in the second case. The first one already prints inside the call. 
This one also helps to support the feature.


> Improve container-executor validation check
> -------------------------------------------
>
>                 Key: YARN-7590
>                 URL: https://issues.apache.org/jira/browse/YARN-7590
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: security, yarn
>    Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 
> 2.8.0, 2.8.1, 3.0.0-beta1
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>         Attachments: YARN-7590.001.patch, YARN-7590.002.patch, 
> YARN-7590.003.patch, YARN-7590.004.patch, YARN-7590.005.patch, 
> YARN-7590.006.patch
>
>
> There is minimum check for prefix path for container-executor.  If YARN is 
> compromised, attacker  can use container-executor to change system files 
> ownership:
> {code}
> /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens 
> /home/spark / ls
> {code}
> This will change /etc to be owned by spark user:
> {code}
> # ls -ld /etc
> drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc
> {code}
> Spark user can rewrite /etc files to gain more access.  We can improve this 
> with additional check in container-executor:
> # Make sure the prefix path is owned by the same user as the caller to 
> container-executor.
> # Make sure the log directory prefix is owned by the same user as the caller.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to