You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Chris Nauroth (Jira)" <ji...@apache.org> on 2022/07/27 17:22:00 UTC

[jira] [Commented] (YARN-11231) FSDownload set wrong permission in destinationTmp

    [ https://issues.apache.org/jira/browse/YARN-11231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17572042#comment-17572042 ] 

Chris Nauroth commented on YARN-11231:
--------------------------------------

777 is generally a very dangerous thing. This seems like it would open security risks of other users writing into the submitter's directories.

Can you provide more details about the problem and how 777 solves it? In an unsecured cluster, this all runs as the yarn user, so I don't see how there would be a problem there. In a Kerberos secured cluster, resource localization runs as the submitting user, which should be granted access with 755. Is there something unique in your configuration that causes a conflict?

> FSDownload set wrong permission in destinationTmp
> -------------------------------------------------
>
>                 Key: YARN-11231
>                 URL: https://issues.apache.org/jira/browse/YARN-11231
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: yarn
>            Reporter: Zhang Dongsheng
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> FSDownload calls createDir in the call method to create the destinationTmp directory, which is later used as the parent directory to create the directory dFinal, which is used in doAs to perform operations such as path creation and path traversal. doAs cannot determine the user's identity, so there is a problem with setting 755 permissions for destinationTmp here, I think it should be set to 777 permissions here.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org