You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Jake Farrell (JIRA)" <ji...@apache.org> on 2015/05/13 05:12:00 UTC
[jira] [Updated] (MESOS-2542) mesos containerizer should not allow
tasks to run as root inside scheduler specified rootfs
[ https://issues.apache.org/jira/browse/MESOS-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jake Farrell updated MESOS-2542:
--------------------------------
Issue Type: Bug (was: Sub-task)
Parent: (was: MESOS-2540)
> mesos containerizer should not allow tasks to run as root inside scheduler specified rootfs
> -------------------------------------------------------------------------------------------
>
> Key: MESOS-2542
> URL: https://issues.apache.org/jira/browse/MESOS-2542
> Project: Mesos
> Issue Type: Bug
> Components: containerization
> Reporter: Jay Buffington
>
> If a task has root in the container it’s fairly well documented how to break out of the chroot and get root privs outside the container. Therefore, when the mesos containerizer specifies an arbitrary rootfs to chroot into we need to be careful to not allow the task to get root access.
> There are likely at least two options to consider here. One is user namespaces[1] wherein the user has “root” inside the container, but outside the container that root user is mapped to an unprivileged user. Another option is to mount all user specified rootfs with a nosetuid flag and strictly control /etc/passwd.
> [1] https://lwn.net/Articles/532593/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)