Hadoop Common
  1. Hadoop Common
  2. HADOOP-7064

FsShell does not properly check permissions of files in a directory when doing rmr

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 0.20.2
    • Fix Version/s: None
    • Component/s: fs
    • Labels:
      None

      Description

      In POSIX file semantics, the ability to remove an entry a file is determined by whether the user has write permissions on the directory containing the file. However, to delete recursively (rm -r) the user must have write permissions in all directories being removed. Thus if you have a directory structure like /a/b/c and a user has write permissions on a but not on b, then he is not allowed to do 'rm -r b'. This is because he does not have permissions to remove c, so the rm of b fails, even though he has permission to remove b.

      However, 'hadoop fs -rmr b' removes both b and c in this case. It should instead fail and return an error message saying the user does not have permission to remove c. 'hadoop fs -rmr c' correctly fails.

        Issue Links

          Activity

          Hide
          Tsz Wo Nicholas Sze added a comment -

          In Hadoop, "fs -rmr" without -skipTrash actually is "move to trash" if trash is enabled. It will call or FileSystem.rename(..). Therefore, it is allowed. Move is also allowed in POSFIX.

          There will be a permission denied for "fs -rmr -skipTrash", which will call FileSystem.delete(..).

          Show
          Tsz Wo Nicholas Sze added a comment - In Hadoop, "fs -rmr" without -skipTrash actually is "move to trash" if trash is enabled. It will call or FileSystem.rename(..). Therefore, it is allowed. Move is also allowed in POSFIX. There will be a permission denied for "fs -rmr -skipTrash", which will call FileSystem.delete(..).
          Hide
          Alan Gates added a comment -

          This seems wrong to me. The fact that rm is implemented as a move underneath is not important to the user. The user expects certain semantics from rm. HDFS has claimed that it follows POSIX semantics, which as far as I can tell, makes no allowance for whether the data is actually removed or moved to a trash directory. Further, the fact that rm requires different permissions depending on whether you are using a trash directory is a broken and confusing semantic.

          Show
          Alan Gates added a comment - This seems wrong to me. The fact that rm is implemented as a move underneath is not important to the user. The user expects certain semantics from rm. HDFS has claimed that it follows POSIX semantics, which as far as I can tell, makes no allowance for whether the data is actually removed or moved to a trash directory. Further, the fact that rm requires different permissions depending on whether you are using a trash directory is a broken and confusing semantic.
          Hide
          Tsz Wo Nicholas Sze added a comment -

          Let's move this from HDFS to Common since this is a FsShell and Trash issue. HDFS implementation does check permission correctly.

          Show
          Tsz Wo Nicholas Sze added a comment - Let's move this from HDFS to Common since this is a FsShell and Trash issue. HDFS implementation does check permission correctly.
          Hide
          Tsz Wo Nicholas Sze added a comment -

          Also edited title.

          Show
          Tsz Wo Nicholas Sze added a comment - Also edited title.
          Hide
          Weiwei Yang added a comment -

          Agree with Alan Gates, this is the same issue reported in HDFS-8312, we should get this fixed. Otherwise HDFS opens security hole that allows user to delete other user's file. I have commented more in here , and a propose to fix this, not in code level, but I am going to work on it shortly. Let me know if it makes sense.

          Show
          Weiwei Yang added a comment - Agree with Alan Gates , this is the same issue reported in HDFS-8312 , we should get this fixed. Otherwise HDFS opens security hole that allows user to delete other user's file. I have commented more in here , and a propose to fix this, not in code level, but I am going to work on it shortly. Let me know if it makes sense.
          Hide
          Weiwei Yang added a comment -

          I have uploaded a patch in HDFS-8312 to demonstrate this issue, appreciate if someone can take a look and let me know if my thought looks good.

          Many thanks.

          Show
          Weiwei Yang added a comment - I have uploaded a patch in HDFS-8312 to demonstrate this issue, appreciate if someone can take a look and let me know if my thought looks good. Many thanks.

            People

            • Assignee:
              Unassigned
              Reporter:
              Alan Gates
            • Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

              • Created:
                Updated:

                Development