Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-7590

Improve container-executor validation check

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.0.1-alpha, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.8.1, 3.0.0-beta1
    • 2.6.6, 3.1.0, 2.10.0, 2.9.1, 3.0.1, 2.8.4, 2.7.6
    • security, yarn
    • None

    Description

      There is minimum check for prefix path for container-executor. If YARN is compromised, attacker can use container-executor to change system files ownership:

      /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens /home/spark / ls
      

      This will change /etc to be owned by spark user:

      # ls -ld /etc
      drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc
      

      Spark user can rewrite /etc files to gain more access. We can improve this with additional check in container-executor:

      1. Make sure the prefix path is owned by the same user as the caller to container-executor.
      2. Make sure the log directory prefix is owned by the same user as the caller.

      Attachments

        1. YARN-7590.001.patch
          7 kB
          Eric Yang
        2. YARN-7590.002.patch
          18 kB
          Eric Yang
        3. YARN-7590.003.patch
          9 kB
          Eric Yang
        4. YARN-7590.004.patch
          10 kB
          Eric Yang
        5. YARN-7590.005.patch
          9 kB
          Eric Yang
        6. YARN-7590.006.patch
          9 kB
          Eric Yang
        7. YARN-7590.007.patch
          9 kB
          Eric Yang
        8. YARN-7590.008.patch
          9 kB
          Eric Yang
        9. YARN-7590.009.patch
          9 kB
          Eric Yang
        10. YARN-7590.010.patch
          9 kB
          Eric Yang
        11. YARN-7590.branch-2.000.patch
          9 kB
          Eric Yang
        12. YARN-7590.branch-2.9.000.patch
          9 kB
          Eric Yang
        13. YARN-7590.branch-2.8.000.patch
          9 kB
          Eric Yang
        14. YARN-7590.branch-2.7.000.patch
          9 kB
          Eric Yang
        15. YARN-7590.branch-2.6.000.patch
          9 kB
          Eric Yang

        Issue Links

          Activity

            People

              eyang Eric Yang
              eyang Eric Yang
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: