[ 
https://issues.apache.org/jira/browse/YARN-7221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16417528#comment-16417528
 ] 

Billie Rinaldi commented on YARN-7221:
--------------------------------------

It looks like set_privileged is missing free(user). Also, will ngroups always 
be set when getgrouplist returns -1? I was wondering if we should check the 
return value before entering the loop for (int j = 0; j < ngroups; j++).

When applying to trunk, I got a conflict on TestDockerContainerRuntime, but I'm 
not sure what is going on since that file hasn't been modified since the last 
precommit build.

I don't see any other issues at the moment. I'm going to try running and 
testing the patch locally and will get back to you with the results.

> Add security check for privileged docker container
> --------------------------------------------------
>
>                 Key: YARN-7221
>                 URL: https://issues.apache.org/jira/browse/YARN-7221
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 3.0.0, 3.1.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>         Attachments: YARN-7221.001.patch, YARN-7221.002.patch, 
> YARN-7221.003.patch, YARN-7221.004.patch, YARN-7221.005.patch, 
> YARN-7221.006.patch, YARN-7221.007.patch, YARN-7221.008.patch, 
> YARN-7221.009.patch, YARN-7221.010.patch, YARN-7221.011.patch
>
>
> When a docker is running with privileges, majority of the use case is to have 
> some program running with root then drop privileges to another user.  i.e. 
> httpd to start with privileged and bind to port 80, then drop privileges to 
> www user.  
> # We should add security check for submitting users, to verify they have 
> "sudo" access to run privileged container.  
> # We should remove --user=uid:gid for privileged containers.  
>  
> Docker can be launched with --privileged=true, and --user=uid:gid flag.  With 
> this parameter combinations, user will not have access to become root user.  
> All docker exec command will be drop to uid:gid user to run instead of 
> granting privileges.  User can gain root privileges if container file system 
> contains files that give user extra power, but this type of image is 
> considered as dangerous.  Non-privileged user can launch container with 
> special bits to acquire same level of root power.  Hence, we lose control of 
> which image should be run with --privileges, and who have sudo rights to use 
> privileged container images.  As the result, we should check for sudo access 
> then decide to parameterize --privileged=true OR --user=uid:gid.  This will 
> avoid leading developer down the wrong path.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to