[
https://issues.apache.org/jira/browse/BIGTOP-1050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13791915#comment-13791915
]
Aaron T. Myers commented on BIGTOP-1050:
----------------------------------------
bq. We don't need the users to be able to even read the file. So
6050:root:<special group to which user running NM is part of> is the most
restrictive permission that will work just fine.
Sure, but do you agree that it's actually over-restrictive? x7xx is not in fact
more permissive, since it's owned by root and root can read/write/execute any
file in the local FS. xxx4 doesn't allow users to write or execute, and being
able to read the file shouldn't impact the security of the system at all.
4754 is what we used to have for the LTC, and I know of no good reason why the
LCE should be treated differently.
> Permissions on YARN LCE should be 4754
> --------------------------------------
>
> Key: BIGTOP-1050
> URL: https://issues.apache.org/jira/browse/BIGTOP-1050
> Project: Bigtop
> Issue Type: Bug
> Reporter: Sean Mackrory
> Assignee: Sean Mackrory
> Priority: Blocker
> Fix For: 0.7.0
>
> Attachments:
> 0001-BIGTOP-1050.-Permissions-on-YARN-LCE-should-be-4754.patch
>
>
> The permissions we set for the YARN container executor are not exactly
> correct and are different from what we used to set for the MRv1 task
> containers. The requirements for the permissions are as follows:
> * Readable/executable by the group
> * Not executable by others
> * Not writable by others
> * Set UID
> * Owned by root
> I've tested this in YARN and have tested that I can still submit and run jobs
> successfully with these new permissions. This is somewhat second-hand
> information, so I'll CC [~atm] in case I've missed any important details or
> context...
--
This message was sent by Atlassian JIRA
(v6.1#6144)
