You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2017/11/13 23:03:00 UTC
[jira] [Commented] (MESOS-3083) Doing 'clone' on Linux with the
CLONE_NEWUSER namespace type can drop root privileges.
[ https://issues.apache.org/jira/browse/MESOS-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16250452#comment-16250452 ]
James Peach commented on MESOS-3083:
------------------------------------
This test is running a task that enters a set of new namespaces, then attempts to escalate back to the set of root namespaces. This isn't something that we would expect to work with user namespaces (in fact, we should expect that user namespaces would explicitly prevent this).
> Doing 'clone' on Linux with the CLONE_NEWUSER namespace type can drop root privileges.
> --------------------------------------------------------------------------------------
>
> Key: MESOS-3083
> URL: https://issues.apache.org/jira/browse/MESOS-3083
> Project: Mesos
> Issue Type: Bug
> Components: containerization
> Environment: Ubuntu 14.04 (virtual machine)
> Reporter: Benjamin Hindman
> Labels: mesosphere
>
> The namespace tests attempt to clone a process with all namespaces that are available from the kernel which includes the 'user' namespace in Ubuntu 14.04 which causes the child process to be user 'nobody' instead of user 'root' after invoking 'clone' which is bad because the test requires that the child process is 'root' and so things fail (because of insufficient permissions). For now, we explicitly ignore the 'user' namespace in the tests, but this issue is to track exactly how we might want to manage this going forward.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)