[
https://issues.apache.org/jira/browse/MAPREDUCE-1991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12895136#action_12895136
]
Vinod K V commented on MAPREDUCE-1991:
--------------------------------------
bq. The -l option is to enable logging in the taskcontroller. AFAIK, we have
never really used this. Should we knock it out ?
A big +1. Note that we do depend on the fact that the output is piped into
TaskTracker JVM and eventually into the TaskTracker's logs. So we should retain
the logging to stdout/stderr but just knock out the command line option.
bq. We also have to fix the checks on permissions - it currently uses argv[0]
which is spoofable. Calling stat on /proc/self/exe is going to be more secure
(and we've already used Linux-specific code elsewhere in the task controller)
Can you please file a new ticket?
> taskcontroller allows stealing permissions on any local file
> ------------------------------------------------------------
>
> Key: MAPREDUCE-1991
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-1991
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Components: task-controller
> Affects Versions: 0.21.0, 0.22.0
> Reporter: Todd Lipcon
> Priority: Blocker
>
> The linux task-controller setuid binary allows a malicious user to chmod any
> file on the system to 644 (and as a side effect appends some junk to the end)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
