[
https://issues.apache.org/jira/browse/HDDS-1712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16886287#comment-16886287
]
Elek, Marton commented on HDDS-1712:
------------------------------------
bq. Root can jail break from container, when mounting host level files is
allowed, such as mounting /etc/passwd, /proc, /sys/fs. In the Pull Request
#1053, it demonstrates the danger to give hadoop user root privileges without
restriction. By printing a write line to /etc/passwd file, this allows hadoop
user to install a root user into host. Hadoop user has the power to create
chaos, when too much privileges is given. We can remove the risk by giving it
non-root privileges access in container.
See my comment in the pull request, this is an independent problem. Even
without sudo I can do the same (use ubuntu image + mount host path)
bq. Would you be open to fix smoke test on a follow up ticket?
Definitely not. This patch breaks something which works currently. If some of
the mentioned points makes harder to post a proper, fully functional patch,
please fix that issue *in advance* . Thanks a lot.
> Remove sudo access from Ozone docker image
> ------------------------------------------
>
> Key: HDDS-1712
> URL: https://issues.apache.org/jira/browse/HDDS-1712
> Project: Hadoop Distributed Data Store
> Issue Type: Bug
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Labels: pull-request-available
> Attachments: HDDS-1712.001.patch
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Ozone docker image is given unlimited sudo access to hadoop user. This poses
> a security risk where host level user uid 1000 can attach a debugger to the
> container process to obtain root access.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
