There is minimum check for prefix path for container-executor. If YARN is compromised, attacker can use container-executor to change system files ownership:
This will change /etc to be owned by spark user:
Spark user can rewrite /etc files to gain more access. We can improve this with additional check in container-executor:
- Make sure the prefix path is owned by the same user as the caller to container-executor.
- Make sure the log directory prefix is owned by the same user as the caller.