[jira] [Commented] (HDDS-1712) Remove sudo access from Ozone docker image

Fri, 19 Jul 2019 18:43:28 -0700 


    [ 
https://issues.apache.org/jira/browse/HDDS-1712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16889280#comment-16889280
 ] 

Eric Yang commented on HDDS-1712:
---------------------------------

{quote}I am -1; on this patch and wasteful discussion. As I have clearly said 
many times; these are to be treated as examples and documentation, not as part 
of the product. Unless there is a change in that status, I am not willing to 
commit this patch.{quote}

With all due respect, I can not agree on this is just examples and 
documentation.  According [Alpha 
cluster|https://hadoop.apache.org/ozone/docs/0.4.0-alpha/runningviadocker.html] 
documentation, this is the first thing that you ask people to try.  No matter 
if you try Ozone from binary, or building from source, in all paths, 
Ozone-runner image is used.  Hence, there is no path that leads to avoid the 
vulnerable docker image according to Ozone website.  Although there is a path 
to manually setup without running smoke test and use tarball binary, this path 
is not documented in any known material.  Hence, this vulernable docker image 
puts everyone who tries Ozone at risk.  [Security is 
mandatory|https://www.apache.org/foundation/how-it-works.html#philosophy] is 
one of Apache's guiding principal.  Please be considerate for others at minimum 
fully document tarball instructions to avoid the mistake, or simply polish the 
code to a more presentable state before release.

> Remove sudo access from Ozone docker image
> ------------------------------------------
>
>                 Key: HDDS-1712
>                 URL: https://issues.apache.org/jira/browse/HDDS-1712
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: HDDS-1712.001.hadoop-docker-ozone.patch, 
> HDDS-1712.001.patch, HDDS-1712.002.patch
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Ozone docker image is given unlimited sudo access to hadoop user.  This poses 
> a security risk where host level user uid 1000 can attach a debugger to the 
> container process to obtain root access.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to