[ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16546289#comment-16546289 ]
Aljoscha Krettek commented on YARN-7590: ---------------------------------------- Hi, I just came across this issue. I have a kerberized YARN cluster setup that used to work with Hadoop 2.8.3. Now I'm getting the following error: {code} main : run as user is hadoop-user main : requested yarn user is hadoop-user Permission mismatch for /hadoop-data/nm-local-dirs for caller uid: 0, owner uid: 1001. Couldn't get userdir directory for hadoop-user. {code} {{hadoop-user}} is the user that I want to use to run my application, {{0}} is the uid of {{root}}, {{1001}} is the uid of the {{yarn}} user. {{hadoop-user}} is only in the group {{hadoop-user}}, {{yarn}} is in the groups ({{yarn}}, {{hadoop}}). {{container-executor}} has these permissions: {code} ---Sr-s--- 1 root yarn 234175 May 8 02:58 container-executor {code} {{container-executor.cfg}} has these permissions: {code} -r-------- 1 root yarn 208 Jul 17 08:20 container-executor.cfg {code} My directories have these permissions: {code} root@slave1:/hadoop-data# ls -lah total 16K drwxr-xr-x 1 yarn yarn 4.0K Jul 17 08:33 . drwxr-xr-x 1 root root 4.0K Jul 17 08:37 .. drwxr-xr-x 1 yarn yarn 4.0K Jul 17 08:33 nm-local-dirs drwxr-xr-x 1 yarn yarn 4.0K Jul 17 08:33 nm-log-dirs {code} Anyone know what could be causing this? Any help is greatly appreciated. > Improve container-executor validation check > ------------------------------------------- > > Key: YARN-7590 > URL: https://issues.apache.org/jira/browse/YARN-7590 > Project: Hadoop YARN > Issue Type: Improvement > Components: security, yarn > Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, > 2.8.0, 2.8.1, 3.0.0-beta1 > Reporter: Eric Yang > Assignee: Eric Yang > Priority: Major > Fix For: 2.6.6, 3.1.0, 2.10.0, 2.9.1, 3.0.1, 2.8.4, 2.7.6 > > Attachments: YARN-7590.001.patch, YARN-7590.002.patch, > YARN-7590.003.patch, YARN-7590.004.patch, YARN-7590.005.patch, > YARN-7590.006.patch, YARN-7590.007.patch, YARN-7590.008.patch, > YARN-7590.009.patch, YARN-7590.010.patch, YARN-7590.branch-2.000.patch, > YARN-7590.branch-2.6.000.patch, YARN-7590.branch-2.7.000.patch, > YARN-7590.branch-2.8.000.patch, YARN-7590.branch-2.9.000.patch > > > There is minimum check for prefix path for container-executor. If YARN is > compromised, attacker can use container-executor to change system files > ownership: > {code} > /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens > /home/spark / ls > {code} > This will change /etc to be owned by spark user: > {code} > # ls -ld /etc > drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc > {code} > Spark user can rewrite /etc files to gain more access. We can improve this > with additional check in container-executor: > # Make sure the prefix path is owned by the same user as the caller to > container-executor. > # Make sure the log directory prefix is owned by the same user as the caller. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org