Mikko Kortelainen created HADOOP-17923:
------------------------------------------
Summary: ShellBasedUnixGroupsMapping: group name containing space
can be used to inject group memberships
Key: HADOOP-17923
URL: https://issues.apache.org/jira/browse/HADOOP-17923
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 3.3.1
Reporter: Mikko Kortelainen
Group names available from identity management systems, for example sssd, may
contain space characters when used with for example Active Directory. such a
group name can be used to inject group memberships granting permission to
basically any targeted group.
Suppose following scenario:
a) centralized identity management system is used, where organization's
responsible roles are defined to allow access to their named groups.
b) group "hdfs" grants hdfs-admin permissions and is managed by authorized
personnel only.
c) attacker orders creation of a group named as "uploaderformy hdfs" and the
attacker's user account "attacker1" as member of that group.
This will lead to the scenario where ShellBasedUnixGroupsMapping executes group
lookup and returns groups uploaderformy and hdfs for the "attacker1" username
as TOKEN_SEPARATOR_REGEX contains space character in addition others ("[
\t\n\r\f]").
This bug was found during our own solution based on the
ShellBasedUnixGroupsMapping for [https://github.com/teragrep/]
Other versions may be affected as well.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
