[jira] [Commented] (MESOS-6953) A compromised mesos-master node can execute code as root on agents.

Tue, 24 Jan 2017 17:54:07 -0800 

    [ 
https://issues.apache.org/jira/browse/MESOS-6953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15837018#comment-15837018
 ] 

Anindya Sinha commented on MESOS-6953:
--------------------------------------

In a normal case (when master is not compromised), we should always have the 
same acls for {{run_tasks}} on each agent of the cluster, so the framework 
should be sure that the tasks would launch on any agent if it passes 
authorization on the master. In the case of a compromised master, we do not 
want the agent to launch tasks as a privileged user. The check against the 
{{run_tasks}} acl on the agent is just for that purpose.

Regarding the live upgrade case: If this functionality is desired (i.e. to 
protect against running tasks on the agent as privileged users through a 
compromised master), we need to add the {{run_tasks}} acl (not all acls) on 
each agent that matches with the {{run_tasks}} acl on the master.

Another option instead of using framework principal as the "subject" could be 
to add another flag for mesos-slave that enlists the {{whitelisted_users}} 
(instead of using {{acls}}) which the agent checks to ensure that the task user 
for the task that is going to be launched is included in that list of 
whitelisted users. The reason of using {{acls}} on the agent is mainly to reuse 
existing authorization module.

> A compromised mesos-master node can execute code as root on agents.
> -------------------------------------------------------------------
>
>                 Key: MESOS-6953
>                 URL: https://issues.apache.org/jira/browse/MESOS-6953
>             Project: Mesos
>          Issue Type: Bug
>          Components: security
>            Reporter: Anindya Sinha
>            Assignee: Anindya Sinha
>              Labels: security, slave
>
> mesos-master has a `--[no-]root_submissions` flag that controls whether 
> frameworks with `root` user are admitted to the cluster.
> However, if a mesos-master node is compromised, it can attempt to schedule 
> tasks on agent as the `root` user. Since mesos-agent has no check against 
> tasks running on the agent for specific users, tasks can get run with `root` 
> privileges can get run within the container on the agent.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to