You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 04:42:31 UTC
svn commit: r1077115 - in
/hadoop/common/branches/branch-0.20-security-patches/src:
c++/task-controller/ test/org/apache/hadoop/mapred/
Author: omalley
Date: Fri Mar 4 03:42:30 2011
New Revision: 1077115
URL: http://svn.apache.org/viewvc?rev=1077115&view=rev
Log:
commit 6adb543e5278bd565f8b9a07ecc5d84c2d6f9f8d
Author: Hemanth Yamijala <yh...@yahoo-inc.com>
Date: Wed Jan 20 16:12:33 2010 +0530
MAPREDUCE:871 from https://issues.apache.org/jira/secure/attachment/12430867/871.20S.patch
+++ b/YAHOO-CHANGES.txt
+ MAPREDUCE-871. Fix ownership of Job/Task local files to have correct
+ group ownership according to the egid of the tasktracker.
+ (Vinod Kumar Vavilapalli via yhemanth)
+
Modified:
hadoop/common/branches/branch-0.20-security-patches/src/c++/task-controller/task-controller.c
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestLocalizationWithLinuxTaskController.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestTaskTrackerLocalization.java
Modified: hadoop/common/branches/branch-0.20-security-patches/src/c++/task-controller/task-controller.c
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/c%2B%2B/task-controller/task-controller.c?rev=1077115&r1=1077114&r2=1077115&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/c++/task-controller/task-controller.c (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/c++/task-controller/task-controller.c Fri Mar 4 03:42:30 2011
@@ -333,7 +333,7 @@ static int secure_path(const char *path,
continue;
}
- if (check_ownership(getuid(), getgid(), entry->fts_path) != 0) {
+ if (check_ownership(entry->fts_path) != 0) {
fprintf(LOGFILE,
"Invalid file path. %s not user/group owned by the tasktracker.\n",
entry->fts_path);
@@ -369,13 +369,13 @@ int prepare_attempt_directories(const ch
return INVALID_ARGUMENT_NUMBER;
}
+ gid_t tasktracker_gid = getegid(); // the group permissions of the binary.
+
if (get_user_details(user) < 0) {
fprintf(LOGFILE, "Couldn't get the user details of %s.\n", user);
return INVALID_USER_NAME;
}
- int tasktracker_gid = getgid();
-
char **local_dir = (char **) get_values(TT_SYS_DIR_KEY);
if (local_dir == NULL) {
@@ -485,7 +485,7 @@ int prepare_task_logs(const char *log_di
}
}
- int tasktracker_gid = getgid();
+ gid_t tasktracker_gid = getegid(); // the group permissions of the binary.
if (secure_path(task_log_dir, user_detail->pw_uid, tasktracker_gid, S_IRWXU
| S_IRWXG, S_ISGID | S_IRWXU | S_IRWXG) != 0) {
// setgid on dirs but not files, 770. As of now, there are no files though
@@ -509,15 +509,18 @@ int get_user_details(const char *user) {
}
/*
- * Function to check if a user/group actually owns the file.
+ * Function to check if the TaskTracker actually owns the file.
*/
-int check_ownership(uid_t uid, gid_t gid, char *path) {
+int check_ownership(char *path) {
struct stat filestat;
if (stat(path, &filestat) != 0) {
return UNABLE_TO_STAT_FILE;
}
- // check user/group.
- if (uid != filestat.st_uid || gid != filestat.st_gid) {
+ // check user/group. User should be TaskTracker user, group can either be
+ // TaskTracker's primary group or the special group to which binary's
+ // permissions are set.
+ if (getuid() != filestat.st_uid || (getgid() != filestat.st_gid && getegid()
+ != filestat.st_gid)) {
return FILE_NOT_OWNED_BY_TASKTRACKER;
}
return 0;
@@ -541,7 +544,7 @@ int initialize_job(const char *jobid, co
return INVALID_USER_NAME;
}
- gid_t tasktracker_gid = getgid(); // TaskTracker's group-id
+ gid_t tasktracker_gid = getegid(); // the group permissions of the binary.
char **local_dir = (char **) get_values(TT_SYS_DIR_KEY);
if (local_dir == NULL) {
Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestLocalizationWithLinuxTaskController.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestLocalizationWithLinuxTaskController.java?rev=1077115&r1=1077114&r2=1077115&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestLocalizationWithLinuxTaskController.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestLocalizationWithLinuxTaskController.java Fri Mar 4 03:42:30 2011
@@ -30,7 +30,6 @@ import org.apache.hadoop.fs.Path;
import org.apache.hadoop.mapred.TaskController.JobInitializationContext;
import org.apache.hadoop.mapred.TaskController.TaskControllerContext;
import org.apache.hadoop.mapred.TaskTracker.TaskInProgress;
-import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.mapred.ClusterWithLinuxTaskController.MyLinuxTaskController;
import org.apache.hadoop.mapred.JvmManager.JvmEnv;
@@ -48,6 +47,8 @@ public class TestLocalizationWithLinuxTa
private File configFile;
private MyLinuxTaskController taskController;
+ private static String taskTrackerSpecialGroup;
+
@Override
protected void setUp()
throws Exception {
@@ -66,6 +67,7 @@ public class TestLocalizationWithLinuxTa
localDirs);
String execPath = path + "/task-controller";
taskController.setTaskControllerExe(execPath);
+ taskTrackerSpecialGroup = getFilePermissionAttrs(execPath)[2];
taskController.setConf(trackerFConf);
taskController.setup();
}
@@ -120,14 +122,12 @@ public class TestLocalizationWithLinuxTa
taskController.initializeJob(context);
// ///////////
- UserGroupInformation taskTrackerugi =
- UserGroupInformation.login(localizedJobConf);
for (String localDir : trackerFConf.getStrings("mapred.local.dir")) {
File jobDir =
new File(localDir, TaskTracker.getLocalJobDir(jobId.toString()));
// check the private permissions on the job directory
checkFilePermissions(jobDir.getAbsolutePath(), "dr-xrws---",
- localizedJobConf.getUser(), taskTrackerugi.getGroupNames()[0]);
+ localizedJobConf.getUser(), taskTrackerSpecialGroup);
}
// check the private permissions of various directories
@@ -139,7 +139,7 @@ public class TestLocalizationWithLinuxTa
dirs.add(new Path(jarsDir, "lib"));
for (Path dir : dirs) {
checkFilePermissions(dir.toUri().getPath(), "dr-xrws---",
- localizedJobConf.getUser(), taskTrackerugi.getGroupNames()[0]);
+ localizedJobConf.getUser(), taskTrackerSpecialGroup);
}
// job-work dir needs user writable permissions
@@ -147,7 +147,7 @@ public class TestLocalizationWithLinuxTa
lDirAlloc.getLocalPathToRead(TaskTracker.getJobWorkDir(jobId
.toString()), trackerFConf);
checkFilePermissions(jobWorkDir.toUri().getPath(), "drwxrws---",
- localizedJobConf.getUser(), taskTrackerugi.getGroupNames()[0]);
+ localizedJobConf.getUser(), taskTrackerSpecialGroup);
// check the private permissions of various files
List<Path> files = new ArrayList<Path>();
@@ -159,7 +159,7 @@ public class TestLocalizationWithLinuxTa
files.add(new Path(jarsDir, "lib" + Path.SEPARATOR + "lib2.jar"));
for (Path file : files) {
checkFilePermissions(file.toUri().getPath(), "-r-xrwx---",
- localizedJobConf.getUser(), taskTrackerugi.getGroupNames()[0]);
+ localizedJobConf.getUser(), taskTrackerSpecialGroup);
}
}
@@ -223,11 +223,9 @@ public class TestLocalizationWithLinuxTa
dirs.add(workDir);
dirs.add(new Path(workDir, "tmp"));
dirs.add(new Path(logFiles[1].getParentFile().getAbsolutePath()));
- UserGroupInformation taskTrackerugi =
- UserGroupInformation.login(localizedJobConf);
for (Path dir : dirs) {
checkFilePermissions(dir.toUri().getPath(), "drwxrws---",
- localizedJobConf.getUser(), taskTrackerugi.getGroupNames()[0]);
+ localizedJobConf.getUser(), taskTrackerSpecialGroup);
}
// check the private permissions of various files
@@ -237,7 +235,7 @@ public class TestLocalizationWithLinuxTa
.isTaskCleanupTask()), trackerFConf));
for (Path file : files) {
checkFilePermissions(file.toUri().getPath(), "-rwxrwx---",
- localizedJobConf.getUser(), taskTrackerugi.getGroupNames()[0]);
+ localizedJobConf.getUser(), taskTrackerSpecialGroup);
}
}
}
Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestTaskTrackerLocalization.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestTaskTrackerLocalization.java?rev=1077115&r1=1077114&r2=1077115&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestTaskTrackerLocalization.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestTaskTrackerLocalization.java Fri Mar 4 03:42:30 2011
@@ -130,7 +130,7 @@ public class TestTaskTrackerLocalization
FileUtil.fullyDelete(TEST_ROOT_DIR);
}
- private static String[] getFilePermissionAttrs(String path)
+ protected static String[] getFilePermissionAttrs(String path)
throws IOException {
String output = Shell.execCommand("stat", path, "-c", "%A:%U:%G");
return output.split(":|\n");