[
https://issues.apache.org/jira/browse/MESOS-1790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15240262#comment-15240262
]
Adam B commented on MESOS-1790:
-------------------------------
[~jieyu] recently brought to my attention the container security work going on
in MESOS-4936, which will allow a framework to explicitly request to have
SETUID capability on its containers. In that case, its ok that Mesos chown
those binaries, because the executor process will still have the capability to
do setuid.
The capabilities work will hopefully land in 0.29.
See
https://docs.google.com/document/d/1YiTift8TQla2vq3upQr7K-riQ_pQ-FKOCOsysQJROGc/edit#
> Add "chown" option to CommandInfo.URI
> -------------------------------------
>
> Key: MESOS-1790
> URL: https://issues.apache.org/jira/browse/MESOS-1790
> Project: Mesos
> Issue Type: Improvement
> Reporter: Vinod Kone
> Assignee: Jim Klucar
> Labels: myriad, newbie
> Attachments:
> 0001-MESOS-1790-Adds-chown-option-to-CommandInfo.URI.patch
>
>
> Mesos fetcher always chown()s the extracted executor URIs as the executor
> user but sometimes this is not desirable, e.g., "setuid" bit gets lost during
> chown() if slave/fetcher is running as root.
> It would be nice to give frameworks the ability to skip the chown.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
