You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Aaron T. Myers (JIRA)" <ji...@apache.org> on 2011/04/11 10:15:06 UTC

[jira] [Updated] (HADOOP-6898) FileSystem.copyToLocal creates files with 777 permissions

     [ https://issues.apache.org/jira/browse/HADOOP-6898?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Aaron T. Myers updated HADOOP-6898:
-----------------------------------

    Attachment: hadoop-6898.0.txt

Sorry for the delay, Nigel. Patch attached.

> FileSystem.copyToLocal creates files with 777 permissions
> ---------------------------------------------------------
>
>                 Key: HADOOP-6898
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6898
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs, security
>            Reporter: Todd Lipcon
>            Assignee: Aaron T. Myers
>            Priority: Blocker
>             Fix For: 0.22.0
>
>         Attachments: hadoop-6898.0.txt
>
>
> FileSystem.copyToLocal ends up calling through to FileUtil.copy, which calls create() on the target file system without passing any permission object. Therefore, the file ends up getting created locally with 777 permissions, which is dangerous -- even if the caller then fixes up permissions afterwards, it exposes a window in which an attacker can open the file.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira