[
https://issues.apache.org/jira/browse/MESOS-6027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15418521#comment-15418521
]
Gaojin CAO commented on MESOS-6027:
-----------------------------------
Yes, the user exists, i tried with both `nobody` and manually added `admin`
users, thy are recorded in `/etc/passwd`. Here is my setup:
{code}
master: ./bin/mesos-master.sh --work_dir=/tmp/mesos/master
agent: ./bin/mesos-agent.sh --master=127.0.0.1:5050
--work_dir=/var/lib/mesos/agent --ip=10.132.46.71
marathon: docker run -it --net=host mesosphere/marathon:latest-dev --master
127.0.0.1:5050 --zk zk://10.132.46.83:2181/cgj
task manifests:
{
"id": "test-xxxx",
"cmd": "sh -c 'whoami && ls -l && sleep 1001'",
"cpus": 1,
"mem": 128,
"disk": 0,
"instances": 1,
"user": "xxxx"
}
{code}
the results are: test case with root user success; other test cases failed.
> Executor stdout/stderr should not be world-readable
> ---------------------------------------------------
>
> Key: MESOS-6027
> URL: https://issues.apache.org/jira/browse/MESOS-6027
> Project: Mesos
> Issue Type: Bug
> Reporter: Adam B
> Assignee: Gaojin CAO
> Labels: newbie, security
>
> Running a task as 'nobody':
> {code}
> sh -c 'whoami && ls -l && sleep 1001'
> nobody
> -rw-r--r--. 1 nobody nobody 2199 Jul 7 00:12 stderr
> -rw-r--r--. 1 nobody nobody 208 Jul 7 00:12 stdout
> {code}
> As a user of a multi-tenant Mesos, I would expect my task logs to be
> inaccessible to other users/tasks on the same node. Filesystem isolation
> helps from one angle, but basic Linux filesystem permissions are just good
> practice.
> There's no reason that any user other than the task user (i.e. the task
> itself) and root (e.g. Mesos agent) should be able to access these logs.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
