Details
Description
There is minimum check for prefix path for container-executor. If YARN is compromised, attacker can use container-executor to change system files ownership:
/usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens /home/spark / ls
This will change /etc to be owned by spark user:
# ls -ld /etc drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc
Spark user can rewrite /etc files to gain more access. We can improve this with additional check in container-executor:
- Make sure the prefix path is owned by the same user as the caller to container-executor.
- Make sure the log directory prefix is owned by the same user as the caller.
Attachments
Attachments
Issue Links
- blocks
-
YARN-7705 Create the container log directory with correct sticky bit in C code
- Resolved