diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c index 37cc6598d5e..33b259117e9 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c @@ -627,8 +627,8 @@ int check_dir(const char* npath, mode_t st_mode, mode_t desired, int finalCompon */ static int create_container_directories(const char* user, const char *app_id, const char *container_id, char* const* local_dir, char* const* log_dir, const char *work_dir) { - // create dirs as 0750 - const mode_t perms = S_IRWXU | S_IRGRP | S_IXGRP; + // create dirs as 0710 + const mode_t perms = S_IRWXU | S_IXGRP; if (app_id == NULL || container_id == NULL || user == NULL || user_detail == NULL || user_detail->pw_name == NULL) { fprintf(LOGFILE, "Either app_id, container_id or the user passed is null.\n"); @@ -669,6 +669,9 @@ static int create_container_directories(const char* user, const char *app_id, sprintf(combined_name, "%s/%s", app_id, container_id); char* const* log_dir_ptr; + // Log dirs need 750 access + const mode_t logdir_perms = S_IRWXU | S_IRGRP | S_IXGRP; + for(log_dir_ptr = log_dir; *log_dir_ptr != NULL; ++log_dir_ptr) { char *container_log_dir = get_app_log_directory(*log_dir_ptr, combined_name); int check = check_nm_local_dir(nm_uid, *log_dir_ptr); @@ -682,7 +685,7 @@ static int create_container_directories(const char* user, const char *app_id, if (container_log_dir == NULL) { free(combined_name); return -1; - } else if (mkdirs(container_log_dir, perms) != 0) { + } else if (mkdirs(container_log_dir, logdir_perms) != 0) { free(container_log_dir); } else { result = 0; @@ -1081,6 +1084,37 @@ int is_mount_cgroups_support_enabled() { DEFAULT_MOUNT_CGROUP_SUPPORT_ENABLED); } +/** + * Function to create the application directories. + * Returns pointer to primary_app_dir or NULL if it fails. + */ +static char *create_app_dirs(const char *user, + const char *app_id, + char* const* local_dirs) +{ + // 750 + mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP; + char* const* nm_root; + char *primary_app_dir = NULL; + for(nm_root=local_dirs; *nm_root != NULL; ++nm_root) { + char *app_dir = get_app_directory(*nm_root, user, app_id); + if (app_dir == NULL) { + // try the next one + } else if (mkdirs(app_dir, permissions) != 0) { + free(app_dir); + } else if (primary_app_dir == NULL) { + primary_app_dir = app_dir; + } else { + free(app_dir); + } + } + + if (primary_app_dir == NULL) { + fprintf(LOGFILE, "Did not create any app directories\n"); + } + return primary_app_dir; +} + /** * Function to prepare the application directories for the container. */ @@ -1116,25 +1150,9 @@ int initialize_app(const char *user, const char *app_id, return -1; } - // 750 - mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP; - char* const* nm_root; - char *primary_app_dir = NULL; - for(nm_root=local_dirs; *nm_root != NULL; ++nm_root) { - char *app_dir = get_app_directory(*nm_root, user, app_id); - if (app_dir == NULL) { - // try the next one - } else if (mkdirs(app_dir, permissions) != 0) { - free(app_dir); - } else if (primary_app_dir == NULL) { - primary_app_dir = app_dir; - } else { - free(app_dir); - } - } - + // Create application directories + char *primary_app_dir = create_app_dirs(user, app_id, local_dirs); if (primary_app_dir == NULL) { - fprintf(LOGFILE, "Did not create any app directories\n"); return -1; } @@ -1471,8 +1489,16 @@ int create_local_dirs(const char * user, const char *app_id, goto cleanup; } } + + // Create application directories if not already created by localization + char *primary_app_dir = create_app_dirs(user, app_id, local_dirs); + if (primary_app_dir == NULL) { + goto cleanup; + } + free(primary_app_dir); + // Create container specific directories as user. If there are no resources - // to localize for this container, app-directories and log-directories are + // to localize for this container, log-directories are // also created automatically as part of this call. if (create_container_directories(user, app_id, container_id, local_dirs, log_dirs, work_dir) != 0) { diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c index 63398e85287..519ec93040b 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c @@ -740,6 +740,17 @@ void test_run_container() { printf("FAIL: failed to create container directory %s\n", container_dir); exit(1); } + // Verify no group read permission on container_dir + struct stat st_buf; + if (stat(container_dir, &st_buf) < 0) { + printf("FAIL: failed to stat container directory %s\n", container_dir); + exit(1); + } + if ((st_buf.st_mode & S_IRGRP) != 0) { + printf("FAIL: group read permission should not be set on " + "container directory %s\n", container_dir); + exit(1); + } char buffer[100000]; sprintf(buffer, "%s/foobar", container_dir); if (access(buffer, R_OK) != 0) {