[
https://issues.apache.org/jira/browse/HDFS-8312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15526388#comment-15526388
]
Weiwei Yang commented on HDFS-8312:
-----------------------------------
Hello [~daryn]
bq.A user always has permissions to their own trash
True
bq.When would insufficient permissions occur?
Suppose userA has no privilege to delete fileB, directly {{FS.delete(fileB)}}
will fail. However {{FS.rename(fileB, fileBinTrash)}} would success because it
only checks the write access to parent of fileB and write access to ancestor of
fileBinTrash. You can also refer the reproduce steps in description and [this
comment |
https://issues.apache.org/jira/browse/HDFS-8312?focusedCommentId=15407456&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15407456].
The patch fixed the rename API by adding the permission check of delete when
the destination is to the trash directory, this has to be fixed otherwise the
it exposes the security hole that malicious user would use rename to move other
people's file/dir to trash and subsequently got deleted.
> Trash does not descent into child directories to check for permissions
> ----------------------------------------------------------------------
>
> Key: HDFS-8312
> URL: https://issues.apache.org/jira/browse/HDFS-8312
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: fs, security
> Affects Versions: 2.2.0, 2.6.0, 2.7.2
> Reporter: Eric Yang
> Assignee: Weiwei Yang
> Priority: Critical
> Fix For: 2.9.0, 3.0.0-alpha1
>
> Attachments: HDFS-8312-001.patch, HDFS-8312-002.patch,
> HDFS-8312-003.patch, HDFS-8312-004.patch, HDFS-8312-005.patch,
> HDFS-8312-testcase.patch
>
>
> HDFS trash does not descent into child directory to check if user has
> permission to delete files. For example:
> Run the following command to initialize directory structure as super user:
> {code}
> hadoop fs -mkdir /BSS/level1
> hadoop fs -mkdir /BSS/level1/level2
> hadoop fs -mkdir /BSS/level1/level2/level3
> hadoop fs -put /tmp/appConfig.json /BSS/level1/level2/level3/testfile.txt
> hadoop fs -chown user1:users /BSS/level1/level2/level3/testfile.txt
> hadoop fs -chown -R user1:users /BSS/level1
> hadoop fs -chown -R 750 /BSS/level1
> hadoop fs -chmod -R 640 /BSS/level1/level2/level3/testfile.txt
> hadoop fs -chmod 775 /BSS
> {code}
> Change to a normal user called user2.
> When trash is enabled:
> {code}
> sudo su user2 -
> hadoop fs -rm -r /BSS/level1
> 15/05/01 16:51:20 INFO fs.TrashPolicyDefault: Namenode trash configuration:
> Deletion interval = 3600 minutes, Emptier interval = 0 minutes.
> Moved: 'hdfs://bdvs323.svl.ibm.com:9000/BSS/level1' to trash at:
> hdfs://bdvs323.svl.ibm.com:9000/user/user2/.Trash/Current
> {code}
> When trash is disabled:
> {code}
> /opt/ibm/biginsights/IHC/bin/hadoop fs -Dfs.trash.interval=0 -rm -r
> /BSS/level1
> 15/05/01 16:58:31 INFO fs.TrashPolicyDefault: Namenode trash configuration:
> Deletion interval = 0 minutes, Emptier interval = 0 minutes.
> rm: Permission denied: user=user2, access=ALL,
> inode="/BSS/level1":user1:users:drwxr-x---
> {code}
> There is inconsistency between trash behavior and delete behavior. When
> trash is enabled, files owned by user1 is deleted by user2. It looks like
> trash does not recursively validate if the child directory files can be
> removed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
