Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-5845

The fetcher can access any local file as root

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.0.0
    • fetcher
    • Mesosphere Sprint 39
    • 3

    Description

      The Mesos fetcher currently runs as root and does a blind cp+chown of any file:// URI into the task's sandbox, to be owned by the task user. Even if frameworks are restricted from running tasks as root, it seems they can still access root-protected files in this way. We should secure the fetcher so that it has the filesystem permissions of the user its associated task is being run as. One option would be to run the fetcher as the same user that the task will run as.

      Attachments

        Issue Links

          Activity

            People

              greggomann Greg Mann
              greggomann Greg Mann
              Jie Yu Jie Yu
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: