[
https://issues.apache.org/jira/browse/MESOS-6866?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gavin updated MESOS-6866:
-------------------------
Comment: was deleted
(was: www.rtat.net)
> Mesos agent not checking IDs before using them as part of the paths
> -------------------------------------------------------------------
>
> Key: MESOS-6866
> URL: https://issues.apache.org/jira/browse/MESOS-6866
> Project: Mesos
> Issue Type: Bug
> Components: security
> Reporter: Yan Xu
> Assignee: Yan Xu
> Priority: Major
> Fix For: 1.2.0
>
>
> Various IDs are used in Mesos, some assigned by the master (AgentID,
> FrameworkID, etc) and some created by the frameworks (TaskID, ExecutorID etc).
> The master does sufficient validation on the IDs supplied by the frameworks
> and the agent currently just trusts that the IDs are valid because they have
> been validated.
> The problem is that currently any entity can spoof as the master to inject
> certain actions on the agent which can be executed as "root" and inflict harm
> on the system. The "right" long term fix is of course to prevent this from
> happening but as a short-term defensive measure we can insert some hard
> CHECKs on the validity of the IDs in the agent code paths.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
