[ https://issues.apache.org/jira/browse/YARN-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16347300#comment-16347300 ]
Eric Yang edited comment on YARN-7446 at 1/31/18 6:13 PM: ---------------------------------------------------------- Hi [~shaneku...@gmail.com], to carry out the conversation on YARN-7516 regarding privileged and user flag being mutually exclusive. Base on [~ebadger]'s comments on YARN-7516, privileged and cap-add/cap-drop are not addictive. When privileged is given, and we drop the starting user to a normal uid/gid. This instance of container is still running with root privileges, for the end user to regain kernel level access, the image needs to have either a sudoers list with sudo binary and sticky bits prebuild or some executable binary with sticky bits to regain control of root privileges. Once user can regain control of the root power in the image, then it defeats the purpose to drop privileges in the first place from security point of view. "To grant root power, or not to grant" is the question. When this question is asked upfront, there is little purpose to drop to normal user uid/gid because normal user will need to spend more effort to resume root power form usability point of view. The initial decision for privileged flag makes the user parameter irrelevant from both usability point of view or security point of view. Thoughts? was (Author: eyang): Hi [~shaneku...@gmail.com], to carry out the conversation on YARN-7516 regarding --privileged and -u flag being mutually exclusive. Base on [~ebadger]'s comments on YARN-7516, --privileged and --cap-add/--cap-drop are not addictive. When --privileged is given, and we drop the starting user to a normal uid/gid. This instance of container is still running with root privileges, for the end user to regain kernel level access, the image needs to have either a sudoers list with sudo binary and sticky bits prebuild or some executable binary with sticky bits to regain control of root privileges. Once user can regain control of the root power in the image, then it defeats the purpose to drop privileges in the first place from security point of view. "To grant root power, or not to grant" is the question. When this question is asked upfront, there is little purpose to drop to normal user uid/gid because normal user will need to spend more effort to resume root power form usability point of view. The initial decision for privileged flag makes the user parameter irrelevant from both usability point of view or security point of view. Thoughts? > Docker container privileged mode and --user flag contradict each other > ---------------------------------------------------------------------- > > Key: YARN-7446 > URL: https://issues.apache.org/jira/browse/YARN-7446 > Project: Hadoop YARN > Issue Type: Sub-task > Affects Versions: 3.0.0 > Reporter: Eric Yang > Assignee: Eric Yang > Priority: Major > Attachments: YARN-7446.001.patch > > > In the current implementation, when privileged=true, --user flag is also > passed to docker for launching container. In reality, the container has no > way to use root privileges unless there is sticky bit or sudoers in the image > for the specified user to gain privileges again. To avoid duplication of > dropping and reacquire root privileges, we can reduce the duplication of > specifying both flag. When privileged mode is enabled, --user flag should be > omitted. When non-privileged mode is enabled, --user flag is supplied. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org