You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mapreduce-issues@hadoop.apache.org by "Todd Lipcon (JIRA)" <ji...@apache.org> on 2011/01/06 19:43:47 UTC
[jira] Updated: (MAPREDUCE-2096) Secure local filesystem IO from
symlink vulnerabilities
[ https://issues.apache.org/jira/browse/MAPREDUCE-2096?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Todd Lipcon updated MAPREDUCE-2096:
-----------------------------------
Resolution: Fixed
Release Note: The TaskTracker now uses the libhadoop JNI library to operate securely on local files when security is enabled. Secure clusters must ensure that libhadoop.so is available to the TaskTracker.
Hadoop Flags: [Reviewed]
Status: Resolved (was: Patch Available)
Committed to trunk and 0.22
> Secure local filesystem IO from symlink vulnerabilities
> -------------------------------------------------------
>
> Key: MAPREDUCE-2096
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-2096
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Components: jobtracker, security, tasktracker
> Affects Versions: 0.22.0
> Reporter: Todd Lipcon
> Assignee: Todd Lipcon
> Priority: Blocker
> Fix For: 0.22.0
>
> Attachments: mapreduce-2096-index-oob.txt, mapreduce-2096.2.txt, mapreduce-2096.txt, secure-files-9.txt, secure-files-authorized-jvm-fix.txt
>
>
> This JIRA is to contribute a patch developed on the private security@ mailing list.
> The vulnerability is that MR daemons occasionally open files that are located in a path where the user has write access. A malicious user may place a symlink in place of the expected file in order to cause the daemon to instead read another file on the system -- one which the attacker may not naturally be able to access. This includes delegation tokens belong to other users, log files, keytabs, etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.