[jira] [Commented] (HDDS-1712) Remove sudo access from Ozone docker image

Fri, 19 Jul 2019 21:17:29 -0700 


    [ 
https://issues.apache.org/jira/browse/HDDS-1712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16889300#comment-16889300
 ] 

Anu Engineer commented on HDDS-1712:
------------------------------------

First of all, there is no vulnerability. That is just FUD that is being spewed 
by you. If there is a CVE in Docker world; the fix is to upgrade docker. So I 
completely disagree.

 

Second, the example of running Docker on your machine means that you need to be 
able to install Docker, which implies that you are an admin on that machine. if 
not, you cannot run this. Now your argument is that someone can write some code 
which has some issue and my answer has been that what you are saying can be 
done with Hadoop as well. someone can write backdoors, and that is why we have 
committers. To make sure that someone does not do random crap like this.

 

The third and most important point, the quick start guide, explains what Ozone 
is. It is not a guide on how to run Ozone. I gather that you have never taken a 
look at the current documentation on trunk or 0.4.1.

 

So I am still against you wasting countless hour with pointless discussion and 
I am -1;

 

 

> Remove sudo access from Ozone docker image
> ------------------------------------------
>
>                 Key: HDDS-1712
>                 URL: https://issues.apache.org/jira/browse/HDDS-1712
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: HDDS-1712.001.hadoop-docker-ozone.patch, 
> HDDS-1712.001.patch, HDDS-1712.002.patch
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Ozone docker image is given unlimited sudo access to hadoop user.  This poses 
> a security risk where host level user uid 1000 can attach a debugger to the 
> container process to obtain root access.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to