You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-dev@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2017/12/01 00:13:00 UTC
[jira] [Created] (YARN-7590) Improve container-executor validation
check
Eric Yang created YARN-7590:
-------------------------------
Summary: Improve container-executor validation check
Key: YARN-7590
URL: https://issues.apache.org/jira/browse/YARN-7590
Project: Hadoop YARN
Issue Type: Improvement
Components: security, yarn
Reporter: Eric Yang
There is minimum check for prefix path for container-executor. If YARN is compromised, attacker can use container-executor to change system files ownership:
{code}
/usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens /home/spark / ls
{code}
This will change /etc to be owned by spark user:
{code}
# ls -ld /etc
drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc
{code}
Spark user can rewrite /etc files to gain more access. We can improve this with additional check in container-executor:
# Make sure the prefix path is same as the one in yarn-site.xml, and yarn-site.xml is owned by root, 644, and marked as final in property.
# Make sure the user path is not a symlink, usercache is not a symlink.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org