Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-6027

Executor stdout/stderr should not be world-readable

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Accepted
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None

    Description

      Running a task as 'nobody':

      sh -c 'whoami && ls -l && sleep 1001'
nobody
-rw-r--r--. 1 nobody nobody 2199 Jul  7 00:12 stderr
-rw-r--r--. 1 nobody nobody  208 Jul  7 00:12 stdout

      As a user of a multi-tenant Mesos, I would expect my task logs to be inaccessible to other users/tasks on the same node. Filesystem isolation helps from one angle, but basic Linux filesystem permissions are just good practice.

      There's no reason that any user other than the task user (i.e. the task itself) and root (e.g. Mesos agent) should be able to access these logs.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. MESOS-5856 Logrotate ContainerLogger module does not rotate logs when run as root with `--switch_user`.

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Activity

            People

              cgj Gaojin CAO
              adam-mesos Adam B
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: