You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Aljoscha Krettek (JIRA)" <ji...@apache.org> on 2018/07/17 09:58:00 UTC
[jira] [Commented] (YARN-7590) Improve container-executor
validation check
[ https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16546289#comment-16546289 ]
Aljoscha Krettek commented on YARN-7590:
----------------------------------------
Hi,
I just came across this issue. I have a kerberized YARN cluster setup that used to work with Hadoop 2.8.3. Now I'm getting the following error:
{code}
main : run as user is hadoop-user
main : requested yarn user is hadoop-user
Permission mismatch for /hadoop-data/nm-local-dirs for caller uid: 0, owner uid: 1001.
Couldn't get userdir directory for hadoop-user.
{code}
{{hadoop-user}} is the user that I want to use to run my application, {{0}} is the uid of {{root}}, {{1001}} is the uid of the {{yarn}} user. {{hadoop-user}} is only in the group {{hadoop-user}}, {{yarn}} is in the groups ({{yarn}}, {{hadoop}}).
{{container-executor}} has these permissions:
{code}
---Sr-s--- 1 root yarn 234175 May 8 02:58 container-executor
{code}
{{container-executor.cfg}} has these permissions:
{code}
-r-------- 1 root yarn 208 Jul 17 08:20 container-executor.cfg
{code}
My directories have these permissions:
{code}
root@slave1:/hadoop-data# ls -lah
total 16K
drwxr-xr-x 1 yarn yarn 4.0K Jul 17 08:33 .
drwxr-xr-x 1 root root 4.0K Jul 17 08:37 ..
drwxr-xr-x 1 yarn yarn 4.0K Jul 17 08:33 nm-local-dirs
drwxr-xr-x 1 yarn yarn 4.0K Jul 17 08:33 nm-log-dirs
{code}
Anyone know what could be causing this? Any help is greatly appreciated.
> Improve container-executor validation check
> -------------------------------------------
>
> Key: YARN-7590
> URL: https://issues.apache.org/jira/browse/YARN-7590
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: security, yarn
> Affects Versions: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.8.1, 3.0.0-beta1
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Fix For: 2.6.6, 3.1.0, 2.10.0, 2.9.1, 3.0.1, 2.8.4, 2.7.6
>
> Attachments: YARN-7590.001.patch, YARN-7590.002.patch, YARN-7590.003.patch, YARN-7590.004.patch, YARN-7590.005.patch, YARN-7590.006.patch, YARN-7590.007.patch, YARN-7590.008.patch, YARN-7590.009.patch, YARN-7590.010.patch, YARN-7590.branch-2.000.patch, YARN-7590.branch-2.6.000.patch, YARN-7590.branch-2.7.000.patch, YARN-7590.branch-2.8.000.patch, YARN-7590.branch-2.9.000.patch
>
>
> There is minimum check for prefix path for container-executor. If YARN is compromised, attacker can use container-executor to change system files ownership:
> {code}
> /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens /home/spark / ls
> {code}
> This will change /etc to be owned by spark user:
> {code}
> # ls -ld /etc
> drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc
> {code}
> Spark user can rewrite /etc files to gain more access. We can improve this with additional check in container-executor:
> # Make sure the prefix path is owned by the same user as the caller to container-executor.
> # Make sure the log directory prefix is owned by the same user as the caller.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org