Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-5845

The fetcher can access any local file as root

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.0.0
    • Component/s: fetcher
    • Sprint:
      Mesosphere Sprint 39
    • Story Points:
      3

      Description

      The Mesos fetcher currently runs as root and does a blind cp+chown of any file:// URI into the task's sandbox, to be owned by the task user. Even if frameworks are restricted from running tasks as root, it seems they can still access root-protected files in this way. We should secure the fetcher so that it has the filesystem permissions of the user its associated task is being run as. One option would be to run the fetcher as the same user that the task will run as.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                greggomann Greg Mann
                Reporter:
                greggomann Greg Mann
                Shepherd:
                Jie Yu
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: