[
https://issues.apache.org/jira/browse/MESOS-6866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15820451#comment-15820451
]
Yan Xu commented on MESOS-6866:
-------------------------------
Yeah there's no validation on executor ID whatsoever, which I am fixing.
> Mesos agent not checking IDs before using them as part of the paths
> -------------------------------------------------------------------
>
> Key: MESOS-6866
> URL: https://issues.apache.org/jira/browse/MESOS-6866
> Project: Mesos
> Issue Type: Bug
> Components: security
> Reporter: Yan Xu
> Assignee: Yan Xu
>
> Various IDs are used in Mesos, some assigned by the master (AgentID,
> FrameworkID, etc) and some created by the frameworks (TaskID, ExecutorID etc).
> The master does sufficient validation on the IDs supplied by the frameworks
> and the agent currently just trusts that the IDs are valid because they have
> been validated.
> The problem is that currently any entity can spoof as the master to inject
> certain actions on the agent which can be executed as "root" and inflict harm
> on the system. The "right" long term fix is of course to prevent this from
> happening but as a short-term defensive measure we can insert some hard
> CHECKs on the validity of the IDs in the agent code paths.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
