Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-7590

Improve container-executor validation check

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.8.1, 3.0.0-beta1
    • Fix Version/s: 2.6.6, 3.1.0, 2.10.0, 2.9.1, 3.0.1, 2.8.4, 2.7.6
    • Component/s: security, yarn
    • Labels:
      None

      Description

      There is minimum check for prefix path for container-executor. If YARN is compromised, attacker can use container-executor to change system files ownership:

      /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens /home/spark / ls
      

      This will change /etc to be owned by spark user:

      # ls -ld /etc
      drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc
      

      Spark user can rewrite /etc files to gain more access. We can improve this with additional check in container-executor:

      1. Make sure the prefix path is owned by the same user as the caller to container-executor.
      2. Make sure the log directory prefix is owned by the same user as the caller.

        Attachments

        1. YARN-7590.001.patch
          7 kB
          Eric Yang
        2. YARN-7590.002.patch
          18 kB
          Eric Yang
        3. YARN-7590.003.patch
          9 kB
          Eric Yang
        4. YARN-7590.004.patch
          10 kB
          Eric Yang
        5. YARN-7590.005.patch
          9 kB
          Eric Yang
        6. YARN-7590.006.patch
          9 kB
          Eric Yang
        7. YARN-7590.007.patch
          9 kB
          Eric Yang
        8. YARN-7590.008.patch
          9 kB
          Eric Yang
        9. YARN-7590.009.patch
          9 kB
          Eric Yang
        10. YARN-7590.010.patch
          9 kB
          Eric Yang
        11. YARN-7590.branch-2.000.patch
          9 kB
          Eric Yang
        12. YARN-7590.branch-2.6.000.patch
          9 kB
          Eric Yang
        13. YARN-7590.branch-2.7.000.patch
          9 kB
          Eric Yang
        14. YARN-7590.branch-2.8.000.patch
          9 kB
          Eric Yang
        15. YARN-7590.branch-2.9.000.patch
          9 kB
          Eric Yang

          Issue Links

            Activity

              People

              • Assignee:
                eyang Eric Yang
                Reporter:
                eyang Eric Yang
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: