[ https://issues.apache.org/jira/browse/YARN-2552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14170907#comment-14170907 ]
Remus Rusanu commented on YARN-2552: ------------------------------------ Copying here the patch' apt.vm update: > 'yarn.nodemanager.windows-secure-container-executor.local-dirs' should > contain the nodemanager local dirs. hadoopwinutilsvc will allow only file > operations under these directories. This should contain the same values as > '${yarn.nodemanager.local-dirs}, ${yarn.nodemanager.log-dirs}' but note that > hadoopwinutilsvc XML configuration processing does not do substitutions so > the value must be the final value. All paths must be absolute and no > environment variable substitution will be performed. The paths are compared > LOCAL_INVARIANT case insensitive string comparison, the file path validated > must start with one of the paths listed in local-dirs configuration. Use > comma as path separator. > Windows Secure Container Executor: the privileged file operations of > hadoopwinutilsvc should be constrained to localdirs only > ----------------------------------------------------------------------------------------------------------------------------- > > Key: YARN-2552 > URL: https://issues.apache.org/jira/browse/YARN-2552 > Project: Hadoop YARN > Issue Type: Sub-task > Components: nodemanager > Reporter: Remus Rusanu > Assignee: Remus Rusanu > Labels: security, windows, wsce > Attachments: YARN-2552.1.patch > > > YARN-2458 added file manipulation operations executed in an elevated context > by hadoopwinutilsvc. W/o any constraint, the NM (or a hijacker that takes > over the NM) can manipulate arbitrary OS files under highest possible > privileges, an easy elevation attack vector. The service should only allow > operations on files/directories that are under the configured NM localdirs. > It should read this value from wsce-site.xml, as the yarn-site.xml cannot be > trusted, being writable by Hadoop admins (YARN-2551 ensures wsce-site.xml is > only writable by system Administrators, not Hadoop admins). -- This message was sent by Atlassian JIRA (v6.3.4#6332)