[jira] [Updated] (MESOS-2542) mesos containerizer should not allow tasks to run as root inside scheduler specified rootfs

Jake Farrell (JIRA) Tue, 12 May 2015 20:12:13 -0700

     [ 
https://issues.apache.org/jira/browse/MESOS-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jake Farrell updated MESOS-2542:
--------------------------------
    Issue Type: Bug  (was: Sub-task)
        Parent:     (was: MESOS-2540)

> mesos containerizer should not allow tasks to run as root inside scheduler 
> specified rootfs
> -------------------------------------------------------------------------------------------
>
>                 Key: MESOS-2542
>                 URL: https://issues.apache.org/jira/browse/MESOS-2542
>             Project: Mesos
>          Issue Type: Bug
>          Components: containerization
>            Reporter: Jay Buffington
>
> If a task has root in the container it’s fairly well documented how to break 
> out of the chroot and get root privs outside the container.  Therefore, when 
> the mesos containerizer specifies an arbitrary rootfs to chroot into we need 
> to be careful to not allow the task to get root access.  
> There are likely at least two options to consider here.  One is user 
> namespaces[1] wherein the user has “root” inside the container, but outside 
> the container that root user is mapped to an unprivileged user.  Another 
> option is to mount all user specified rootfs with a nosetuid flag and 
> strictly control /etc/passwd.
> [1] https://lwn.net/Articles/532593/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (MESOS-2542) mesos containerizer should not allow tasks to run as root inside scheduler specified rootfs

Reply via email to