You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-dev@hadoop.apache.org by "Haohui Mai (JIRA)" <ji...@apache.org> on 2014/02/11 03:23:19 UTC

[jira] [Created] (HDFS-5923) Do not persist the ACL bit in the FsPermission

Haohui Mai created HDFS-5923:
--------------------------------

             Summary: Do not persist the ACL bit in the FsPermission
                 Key: HDFS-5923
                 URL: https://issues.apache.org/jira/browse/HDFS-5923
             Project: Hadoop HDFS
          Issue Type: Sub-task
            Reporter: Haohui Mai
            Assignee: Haohui Mai


The current implementation persists and ACL bit in FSImage and editlogs. Moreover, the security decisions also depend on whether the bit is set.

The problem here is that we have to maintain the implicit invariant, which is the ACL bit is set if and only if the the inode has AclFeature. The invariant has to be maintained everywhere otherwise it can lead to a security vulnerability. In the worst case, an attacker can toggle the bit and bypass the ACL checks.

The jira proposes to treat the ACL bit as a transient bit. The bit should not be persisted onto the disk, neither it should affect any security decisions.





--
This message was sent by Atlassian JIRA
(v6.1.5#6160)