Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
Mesosphere Sprint 39
-
3
Description
The Mesos fetcher currently runs as root and does a blind cp+chown of any file:// URI into the task's sandbox, to be owned by the task user. Even if frameworks are restricted from running tasks as root, it seems they can still access root-protected files in this way. We should secure the fetcher so that it has the filesystem permissions of the user its associated task is being run as. One option would be to run the fetcher as the same user that the task will run as.
Attachments
Issue Links
- is related to
-
MESOS-5218 Fetcher should not chown the entire sandbox.
- Resolved
- relates to
-
MESOS-5924 Fetcher may print logging error when run as unprivileged user
- Open