Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-9876

Use geteuid to determine subprocess' user when launching task.

    XMLWordPrintableJSON

    Details

      Description

      I have to run mesos-agent as root(or some user with root privilege) to isolate tasks' execution environment. For security, we 

      1. chmod +s to mesos-agent and then run it as some user A(We'll ssh as user A to do some ops, but NOT every has root privilege.).
      2. use --switch_user to restrict tasks' capabilities(e.g. "rm -rf /" is not allowed).

      The problem is that if we set CommandInfo.User to A(the same one running mesos-agent), the check in MesosContainerizerLaunch::execute()

      if(uid.get() != os::getuid().get()){
        // some code
      }

      will always be false. As a result, all subprocesses will run as root. 

      So I suggest that we use geteuid here to replace getuid, namely

      if (uid.get() != ::geteuid()){ 
        // some code 
      }
      

       

       

        Attachments

          Activity

            People

            • Assignee:
              carlone longfei
              Reporter:
              carlone longfei
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: