[
https://issues.apache.org/jira/browse/MAPREDUCE-2096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12978526#action_12978526
]
Hudson commented on MAPREDUCE-2096:
-----------------------------------
Integrated in Hadoop-Mapreduce-trunk-Commit #572 (See
[https://hudson.apache.org/hudson/job/Hadoop-Mapreduce-trunk-Commit/572/])
> Secure local filesystem IO from symlink vulnerabilities
> -------------------------------------------------------
>
> Key: MAPREDUCE-2096
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-2096
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Components: jobtracker, security, tasktracker
> Affects Versions: 0.22.0
> Reporter: Todd Lipcon
> Assignee: Todd Lipcon
> Priority: Blocker
> Fix For: 0.22.0
>
> Attachments: mapreduce-2096-index-oob.txt, mapreduce-2096.2.txt,
> mapreduce-2096.txt, secure-files-9.txt, secure-files-authorized-jvm-fix.txt
>
>
> This JIRA is to contribute a patch developed on the private security@ mailing
> list.
> The vulnerability is that MR daemons occasionally open files that are located
> in a path where the user has write access. A malicious user may place a
> symlink in place of the expected file in order to cause the daemon to instead
> read another file on the system -- one which the attacker may not naturally
> be able to access. This includes delegation tokens belong to other users, log
> files, keytabs, etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
