Hello Harsh J, and Colin P. McCabe,
Added an inline correction message, it becomes somewhat more beefy, because there isn't one octal perm, but rather, three conditions noted below.
Hello Steve Loughran,
Thanks for the hint. The test had a contains, but included the entire message. I changed it to check two shorter strings.
I also added a link to a non-existent wiki page. The error message is even a bit beefier with the link.
Let me know if it is too long.
Suggestions for a wiki page:
Socket Path Permissions.
In order to run a secure environment, paths used to contain sockets need to be protected from
unauthorized access. Otherwise, it is possible that an unprivileged user can perform a
man-in-the-middle attack by removing the socket and replacing it with a new one.
In a POSIX filesystem, that means that all of the paths to the directory used for the
socket need to have the following characteristics:
1) Not world-writable.
2) Only group-writable if the group is root.
3) Either owned by either root, or the user creating the socket.
For more information, consult your operating system's documentation.
Here is a link to overall documentation regarding filesystem permissions:
For examining the path in more detail, the following commands may be useful:
namei -om /var/run/hdfs-sockets/dn
ls -l /var/run/hdfs-sockets/dn
For changing the path, the following commands may be useful:
chmod 0755 /var/run/hdfs-sockets/dn
chown hdfs:hadoop /var/run/hdfs-sockets/dn
HDFS daemons will fail to start if the sockets are not protected as required.
Running the tests locally before I attach the patch.