You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Gavin (JIRA)" <ji...@apache.org> on 2019/04/29 09:27:26 UTC
[jira] [Issue Comment Deleted] (MESOS-6866) Mesos agent not
checking IDs before using them as part of the paths
[ https://issues.apache.org/jira/browse/MESOS-6866?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gavin updated MESOS-6866:
-------------------------
Comment: was deleted
(was: www.rtat.net)
> Mesos agent not checking IDs before using them as part of the paths
> -------------------------------------------------------------------
>
> Key: MESOS-6866
> URL: https://issues.apache.org/jira/browse/MESOS-6866
> Project: Mesos
> Issue Type: Bug
> Components: security
> Reporter: Yan Xu
> Assignee: Yan Xu
> Priority: Major
> Fix For: 1.2.0
>
>
> Various IDs are used in Mesos, some assigned by the master (AgentID, FrameworkID, etc) and some created by the frameworks (TaskID, ExecutorID etc).
> The master does sufficient validation on the IDs supplied by the frameworks and the agent currently just trusts that the IDs are valid because they have been validated.
> The problem is that currently any entity can spoof as the master to inject certain actions on the agent which can be executed as "root" and inflict harm on the system. The "right" long term fix is of course to prevent this from happening but as a short-term defensive measure we can insert some hard CHECKs on the validity of the IDs in the agent code paths.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)