[
https://issues.apache.org/jira/browse/MESOS-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14387897#comment-14387897
]
Jay Buffington commented on MESOS-2542:
---------------------------------------
Also we should consider no_new_privs. From
https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
{quote}
With no_new_privs set, execve promises not to grant the privilege to do
anything that could not have been done without the execve call. For example,
the setuid and setgid bits will no longer change the uid or gid; file
capabilities will not add to the permitted set
{quote}
> mesos containerizer should not allow tasks to run as root inside scheduler
> specified rootfs
> -------------------------------------------------------------------------------------------
>
> Key: MESOS-2542
> URL: https://issues.apache.org/jira/browse/MESOS-2542
> Project: Mesos
> Issue Type: Technical task
> Components: containerization
> Reporter: Jay Buffington
>
> If a task has root in the container it’s fairly well documented how to break
> out of the chroot and get root privs outside the container. Therefore, when
> the mesos containerizer specifies an arbitrary rootfs to chroot into we need
> to be careful to not allow the task to get root access.
> There are likely at least two options to consider here. One is user
> namespaces[1] wherein the user has “root” inside the container, but outside
> the container that root user is mapped to an unprivileged user. Another
> option is to mount all user specified rootfs with a nosetuid flag and
> strictly control /etc/passwd.
> [1] https://lwn.net/Articles/532593/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
