The GitHub Actions job "Tests" on airflow.git/supervisor-nondumpable has succeeded. Run started by GitHub user ashb (triggered by ashb).
Head commit for run: f6fd2bd7e7b7e21275f4bc53407c72aa5c64d996 / Ash Berlin-Taylor <[email protected]> Protect supervisor memory from being read by sibling task processes Airflow task workers run all tasks as the same UID (unless you use run_as_user, which most people don't). Each supervisor process holds a distinct JWT token for API authentication. Without protection, any task process can read a sibling supervisor's memory and steal its token via: - /proc/<pid>/mem (direct memory read) - /proc/<pid>/environ (read environment variables) - /proc/<pid>/maps (find memory layout, then read) - ptrace(PTRACE_ATTACH, ...) (debugger attach) These all work because the kernel allows same-UID processes to access each other by default. And being able to have one task impersonate another task is not great for security controls we want to put in place. Calling `prctl(PR_SET_DUMPABLE, 0)` tells the kernel to deny all four vectors for non-root processes without `CAP_SYS_PTRACE`. Root-level debugging tools (py-spy, strace, gdb under sudo) still work because `CAP_SYS_PTRACE` bypasses the dumpable check. The flag is set at the top of supervise(), before the Client is constructed with the token. Since the task child is created via os.fork() with no subsequent execve(), it inherits the non-dumpable flag automatically — both supervisor and task processes are protected. This is the same mechanism OpenSSH's ssh-agent uses to protect private keys in memory: https://github.com/openssh/openssh-portable/commit/6c4914afccb0c188a2c412d12dfb1b73e362e07e and I think Chromium and KeePassXC etc use it similarly. Report URL: https://github.com/apache/airflow/actions/runs/22452794838 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
