Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-8917

Agent leaking file descriptors into forked processes

    XMLWordPrintableJSON

    Details

    • Sprint:
      Mesosphere Sprint 2018-20, Mesosphere Sprint 2018-21, Mesosphere Sprint 2018-22, Mesosphere Sprint 2018-23
    • Story Points:
      3

      Description

      If not all file descriptors are carefully open'ed with O_CLOEXEC the Mesos agent might leak them into forked processes e.g., executors. This presents a potential security issue as such processes can interfere with the agent.

      The current approach is to fix all invocations of open to always set O_CLOEXEC, but this approach breaks down when using 3rdparty libraries as there is no reliable way to patch unbundled dependencies.

      It seems a more reliable approach would be to close all but a whitelisted set of file descriptors when after fork, but before the exec*. It should be possible to assemble such a whitelist for the typical use cases (e.g., in for the Mesos containerizer's  launch) and pass it to a modified functions to start subprocess. We might need to audit uses of raw fork in the code.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bbannier Benjamin Bannier
                Reporter:
                bbannier Benjamin Bannier
                Shepherd:
                Jie Yu
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: