[
https://issues.apache.org/jira/browse/HADOOP-13673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15822525#comment-15822525
]
Allen Wittenauer commented on HADOOP-13673:
-------------------------------------------
Thanks for the feedback [~raviprak] and [~andrew.wang] (who did his offline
while JIRA was down). -04 should cover all of the very valid points you've
raised.
bq. I'm not exactly sure how HADOOP_REEXECED_CMD is being used to prevent a
fork bomb, but could a script set it to false explicitly as part of itself?
i.e. what's preventing access to that variable from a user script?
Anything that runs inside the environment can of course wreak havoc on
anything. If we ignore bad actors, what happens is this:
1. user runs command
2. command determines that _USER has been set and it needs to get re-executed
as a different user.
3. command calls itself with same parameters, etc, but adds --reexec to the
command line
4. if for some reason command calls itself again, there will be two --reexec's
on the command line (since those options aren't stripped) which will stop it
during the param parasing. Additionally, hadoop_need_reexec will return false
as well.
Sure, it's not as strong as a semaphore, but I think it should stop most
non-malicious code.
> Update scripts to be smarter when running with privilege
> --------------------------------------------------------
>
> Key: HADOOP-13673
> URL: https://issues.apache.org/jira/browse/HADOOP-13673
> Project: Hadoop Common
> Issue Type: New Feature
> Components: scripts
> Affects Versions: 3.0.0-alpha1, 3.0.0-alpha2
> Reporter: Allen Wittenauer
> Assignee: Allen Wittenauer
> Labels: security
> Attachments: HADOOP-13673.00.patch, HADOOP-13673.01.patch,
> HADOOP-13673.02.patch, HADOOP-13673.03.patch
>
>
> As work continues on HADOOP-13397, it's become evident that we need better
> hooks to start daemons as specifically configured users. Via the
> (command)_(subcommand)_USER environment variables in 3.x, we actually have a
> standardized way to do that. This in turn means we can make the sbin scripts
> super functional with a bit of updating:
> * Consolidate start-dfs.sh and start-secure-dns.sh into one script
> * Make start-\*.sh and stop-\*.sh know how to switch users when run as root
> * Undeprecate start/stop-all.sh so that it could be used as root for
> production purposes and as a single user for non-production users
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
