Hadoop Map/Reduce
  1. Hadoop Map/Reduce
  2. MAPREDUCE-2103

task-controller shouldn't require o-r permissions

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Trivial Trivial
    • Resolution: Fixed
    • Affects Version/s: 0.22.0
    • Fix Version/s: 0.22.0, 1.1.0
    • Component/s: task-controller
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      The task-controller currently checks that "other" users don't have read permissions. This is unnecessary - we just need to make it's not executable. The debian policy manual explains it well:

      Setuid and setgid executables should be mode 4755 or 2755 respectively, and owned by the appropriate user or group. They should not be made unreadable (modes like 4711 or 2711 or even 4111); doing so achieves no extra security, because anyone can find the binary in the freely available Debian package; it is merely inconvenient. For the same reason you should not restrict read or execute permissions on non-set-id executables.

      Some setuid programs need to be restricted to particular sets of users, using file permissions. In this case they should be owned by the uid to which they are set-id, and by the group which should be allowed to execute them. They should have mode 4754; again there is no point in making them unreadable to those users who must not be allowed to execute them.

      1. mapreduce-2103.txt
        2 kB
        Todd Lipcon
      2. mapreduce-2103.txt
        1.0 kB
        Todd Lipcon
      3. mapreduce-2103-20x.patch
        1 kB
        Eli Collins
      4. mr-2103-0.22.patch
        2 kB
        Benoy Antony

        Issue Links

          Activity

          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Patch Available Patch Available
          5m 47s 1 Todd Lipcon 04/Oct/10 05:13
          Patch Available Patch Available Resolved Resolved
          221d 17h 58m 1 Eli Collins 13/May/11 23:12
          Resolved Resolved Closed Closed
          522d 20h 15m 1 Matt Foley 17/Oct/12 19:27
          Matt Foley made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Hide
          Matt Foley added a comment -

          Closed upon release of Hadoop-1.1.0.

          Show
          Matt Foley added a comment - Closed upon release of Hadoop-1.1.0.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-22-branch #104 (See https://builds.apache.org/job/Hadoop-Mapreduce-22-branch/104/)
          MAPREDUCE-2103. Additional changes to task-controller.c Contributed by Benoy Antony. (Revision 1346254)

          Result = SUCCESS
          shv : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1346254
          Files :

          • /hadoop/common/branches/branch-0.22/mapreduce/CHANGES.txt
          • /hadoop/common/branches/branch-0.22/mapreduce/src/c++/task-controller/impl/task-controller.c
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-22-branch #104 (See https://builds.apache.org/job/Hadoop-Mapreduce-22-branch/104/ ) MAPREDUCE-2103 . Additional changes to task-controller.c Contributed by Benoy Antony. (Revision 1346254) Result = SUCCESS shv : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1346254 Files : /hadoop/common/branches/branch-0.22/mapreduce/CHANGES.txt /hadoop/common/branches/branch-0.22/mapreduce/src/c++/task-controller/impl/task-controller.c
          Hide
          Konstantin Shvachko added a comment -

          Committed to branch 0.22.1. Thank you Benoy.

          Show
          Konstantin Shvachko added a comment - Committed to branch 0.22.1. Thank you Benoy.
          Matt Foley made changes -
          Target Version/s 1.1.0 [ 12317960 ] 0.22.0, 1.1.0 [ 12314184, 12317960 ]
          Matt Foley made changes -
          Fix Version/s 1.1.0 [ 12317960 ]
          Hide
          Matt Foley added a comment -

          It's not clear from the commit record how this patch is in 1.1 and not 1.0, but it is, and that's fine, so updating "Fixed Version" to include 1.1.0.

          Show
          Matt Foley added a comment - It's not clear from the commit record how this patch is in 1.1 and not 1.0, but it is, and that's fine, so updating "Fixed Version" to include 1.1.0.
          Benoy Antony made changes -
          Attachment mr-2103-0.22.patch [ 12526271 ]
          Hide
          Benoy Antony added a comment -

          Patch for 0.22

          Show
          Benoy Antony added a comment - Patch for 0.22
          Benoy Antony made changes -
          Link This issue is depended upon by HADOOP-8357 [ HADOOP-8357 ]
          Konstantin Shvachko made changes -
          Fix Version/s 0.22.0 [ 12314184 ]
          Hide
          Eli Collins added a comment -

          Thanks Todd. I've committed this.

          Show
          Eli Collins added a comment - Thanks Todd. I've committed this.
          Hide
          Todd Lipcon added a comment -

          +1 on the 20s patch

          Show
          Todd Lipcon added a comment - +1 on the 20s patch
          Hide
          Eli Collins added a comment -
               [exec] 
               [exec] -1 overall.  
               [exec] 
               [exec]     +1 @author.  The patch does not contain any @author tags.
               [exec] 
               [exec]     -1 tests included.  The patch doesn't appear to include any new or modified tests.
               [exec]                         Please justify why no tests are needed for this patch.
               [exec] 
               [exec]     +1 javadoc.  The javadoc tool did not generate any warning messages.
               [exec] 
               [exec]     +1 javac.  The applied patch does not increase the total number of javac compiler warnings.
               [exec] 
               [exec]     -1 findbugs.  The patch appears to introduce 2 new Findbugs (version 1.3.9) warnings.
               [exec] 
               [exec] 
          

          Existing test coverage is sufficient. Findbugs warnings are unrelated (filed HADOOP-7847). test-task-controller passes.

          Show
          Eli Collins added a comment - [exec] [exec] -1 overall. [exec] [exec] +1 @author. The patch does not contain any @author tags. [exec] [exec] -1 tests included. The patch doesn't appear to include any new or modified tests. [exec] Please justify why no tests are needed for this patch. [exec] [exec] +1 javadoc. The javadoc tool did not generate any warning messages. [exec] [exec] +1 javac. The applied patch does not increase the total number of javac compiler warnings. [exec] [exec] -1 findbugs. The patch appears to introduce 2 new Findbugs (version 1.3.9) warnings. [exec] [exec] Existing test coverage is sufficient. Findbugs warnings are unrelated (filed HADOOP-7847 ). test-task-controller passes.
          Eli Collins made changes -
          Target Version/s 0.20.206.0 [ 12317960 ]
          Eli Collins made changes -
          Attachment mapreduce-2103-20x.patch [ 12504538 ]
          Hide
          Eli Collins added a comment -

          Patch attached for branch-20-security. The setgid check had already been removed from 20x.

          Show
          Eli Collins added a comment - Patch attached for branch-20-security. The setgid check had already been removed from 20x.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-trunk-Commit #675 (See https://builds.apache.org/hudson/job/Hadoop-Mapreduce-trunk-Commit/675/)

          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk-Commit #675 (See https://builds.apache.org/hudson/job/Hadoop-Mapreduce-trunk-Commit/675/ )
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-trunk #679 (See https://builds.apache.org/hudson/job/Hadoop-Mapreduce-trunk/679/)
          MAPREDUCE-2103. task-controller shouldn't require o-r permissions. Contributed by Todd Lipcon

          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk #679 (See https://builds.apache.org/hudson/job/Hadoop-Mapreduce-trunk/679/ ) MAPREDUCE-2103 . task-controller shouldn't require o-r permissions. Contributed by Todd Lipcon
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-22-branch #50 (See https://builds.apache.org/hudson/job/Hadoop-Mapreduce-22-branch/50/)
          MAPREDUCE-2103. svn merge -c 1102908 from trunk

          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-22-branch #50 (See https://builds.apache.org/hudson/job/Hadoop-Mapreduce-22-branch/50/ ) MAPREDUCE-2103 . svn merge -c 1102908 from trunk
          Eli Collins made changes -
          Resolution Fixed [ 1 ]
          Status Patch Available [ 10002 ] Resolved [ 5 ]
          Hadoop Flags [Reviewed]
          Hide
          Eli Collins added a comment -

          Thanks Todd. I've committed this to trunk and branch 22.

          Show
          Eli Collins added a comment - Thanks Todd. I've committed this to trunk and branch 22.
          Hide
          Todd Lipcon added a comment -

          Testing-wise, this has been running in 0.20-based secure clusters for several months with no problems.

          Show
          Todd Lipcon added a comment - Testing-wise, this has been running in 0.20-based secure clusters for several months with no problems.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12459276/mapreduce-2103.txt
          against trunk revision 1074251.

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed core unit tests.

          -1 contrib tests. The patch failed contrib unit tests.

          +1 system test framework. The patch passed system test framework compile.

          Test results: https://hudson.apache.org/hudson/job/PreCommit-MAPREDUCE-Build/64//testReport/
          Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-MAPREDUCE-Build/64//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
          Console output: https://hudson.apache.org/hudson/job/PreCommit-MAPREDUCE-Build/64//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12459276/mapreduce-2103.txt against trunk revision 1074251. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. -1 contrib tests. The patch failed contrib unit tests. +1 system test framework. The patch passed system test framework compile. Test results: https://hudson.apache.org/hudson/job/PreCommit-MAPREDUCE-Build/64//testReport/ Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-MAPREDUCE-Build/64//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://hudson.apache.org/hudson/job/PreCommit-MAPREDUCE-Build/64//console This message is automatically generated.
          Hide
          Eli Collins added a comment -

          Rationale and code change looks good, testing?

          Show
          Eli Collins added a comment - Rationale and code change looks good, testing?
          Hide
          Todd Lipcon added a comment -

          No need to run test-patch here since it's C++ changes only, and test-patch doesn't do any analysis on the C++.

          Show
          Todd Lipcon added a comment - No need to run test-patch here since it's C++ changes only, and test-patch doesn't do any analysis on the C++.
          Todd Lipcon made changes -
          Link This issue blocks HADOOP-7025 [ HADOOP-7025 ]
          Todd Lipcon made changes -
          Attachment mapreduce-2103.txt [ 12459276 ]
          Hide
          Todd Lipcon added a comment -

          Removes the check for setgid which is not necessary

          Show
          Todd Lipcon added a comment - Removes the check for setgid which is not necessary
          Hide
          Todd Lipcon added a comment -

          Also doesn't need setgid permissions, as far as I can think.

          Show
          Todd Lipcon added a comment - Also doesn't need setgid permissions, as far as I can think.
          Todd Lipcon made changes -
          Status Open [ 1 ] Patch Available [ 10002 ]
          Assignee Todd Lipcon [ tlipcon ]
          Todd Lipcon made changes -
          Field Original Value New Value
          Attachment mapreduce-2103.txt [ 12456263 ]
          Todd Lipcon created issue -

            People

            • Assignee:
              Todd Lipcon
              Reporter:
              Todd Lipcon
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development