You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2016/07/21 16:04:15 UTC
[2/4] mesos git commit: Made the agent fetch files as the task user.
Made the agent fetch files as the task user.
To ensure that a task cannot fetch root-protected files from the local
filesystem when running as a non-root user, this patch changes the
fetcher to fetch files as the task user.
Review: https://reviews.apache.org/r/50200/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/37e06d40
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/37e06d40
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/37e06d40
Branch: refs/heads/1.0.x
Commit: 37e06d402267e2a9044dbb577c8887ad1bd9185f
Parents: a93b09b
Author: Greg Mann <gr...@mesosphere.io>
Authored: Wed Jul 20 17:13:58 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Thu Jul 21 09:03:38 2016 -0700
----------------------------------------------------------------------
src/launcher/fetcher.cpp | 24 ++++++++++++------------
src/tests/fetcher_tests.cpp | 38 ++++++++++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/37e06d40/src/launcher/fetcher.cpp
----------------------------------------------------------------------
diff --git a/src/launcher/fetcher.cpp b/src/launcher/fetcher.cpp
index 94b522d..4456c28 100644
--- a/src/launcher/fetcher.cpp
+++ b/src/launcher/fetcher.cpp
@@ -515,6 +515,17 @@ int main(int argc, char* argv[])
<< "Could not create the fetcher cache directory: " << result.error();
}
+ // If the `FetcherInfo` specifies a user, use `os::su()` to fetch files as the
+ // task's user to ensure that filesystem permissions are enforced.
+ if (fetcherInfo.get().has_user()) {
+ result = os::su(fetcherInfo.get().user());
+ if (result.isError()) {
+ EXIT(EXIT_FAILURE)
+ << "Fetcher could not execute `os::su()` for user '"
+ << fetcherInfo.get().user() << "'";
+ }
+ }
+
const Option<string> cacheDirectory =
fetcherInfo.get().has_cache_directory() ?
Option<string>::some(fetcherInfo.get().cache_directory()) :
@@ -525,7 +536,7 @@ int main(int argc, char* argv[])
Option<string>::some(fetcherInfo.get().frameworks_home()) :
Option<string>::none();
- // Fetch each URI to a local file, chmod, then chown if a user is provided.
+ // Fetch each URI to a local file and chmod if necessary.
foreach (const FetcherInfo::Item& item, fetcherInfo.get().items()) {
Try<string> fetched =
fetch(item, cacheDirectory, sandboxDirectory, frameworksHome);
@@ -538,16 +549,5 @@ int main(int argc, char* argv[])
}
}
- // Recursively chown the sandbox directory if a user is provided.
- if (fetcherInfo.get().has_user()) {
- Try<Nothing> chowned = os::chown(
- fetcherInfo.get().user(),
- sandboxDirectory);
- if (chowned.isError()) {
- EXIT(EXIT_FAILURE)
- << "Failed to chown " << sandboxDirectory << ": " << chowned.error();
- }
- }
-
return 0;
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/37e06d40/src/tests/fetcher_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/fetcher_tests.cpp b/src/tests/fetcher_tests.cpp
index d38ce6e..aea0900 100644
--- a/src/tests/fetcher_tests.cpp
+++ b/src/tests/fetcher_tests.cpp
@@ -100,6 +100,44 @@ TEST_F(FetcherTest, FileURI)
}
+// Tests that non-root users are unable to fetch root-protected files on the
+// local filesystem.
+TEST_F(FetcherTest, ROOT_RootProtectedFileURI)
+{
+ const string user = "nobody";
+ ASSERT_SOME(os::getuid(user));
+
+ string fromDir = path::join(os::getcwd(), "from");
+ ASSERT_SOME(os::mkdir(fromDir));
+ string testFile = path::join(fromDir, "test");
+ EXPECT_SOME(os::write(testFile, "data"));
+ EXPECT_SOME(os::chmod(testFile, 600));
+
+ slave::Flags flags;
+ flags.launcher_dir = getLauncherDir();
+
+ ContainerID containerId;
+ containerId.set_value(UUID::random().toString());
+
+ CommandInfo commandInfo;
+ commandInfo.set_user(user);
+
+ CommandInfo::URI* uri = commandInfo.add_uris();
+ uri->set_value("file://" + testFile);
+
+ Fetcher fetcher;
+ SlaveID slaveId;
+
+ AWAIT_FAILED(fetcher.fetch(
+ containerId,
+ commandInfo,
+ os::getcwd(),
+ None(),
+ slaveId,
+ flags));
+}
+
+
TEST_F(FetcherTest, CustomOutputFileSubdirectory)
{
string testFile = path::join(os::getcwd(), "test");