[jira] [Commented] (MAPREDUCE-2103) task-controller shouldn't require o-r permissions

Mon, 04 Jun 2012 23:34:27 -0700 

    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-2103?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13289196#comment-13289196
 ] 

Konstantin Shvachko commented on MAPREDUCE-2103:
------------------------------------------------

Committed to branch 0.22.1. Thank you Benoy.
                
> task-controller shouldn't require o-r permissions
> -------------------------------------------------
>
>                 Key: MAPREDUCE-2103
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-2103
>             Project: Hadoop Map/Reduce
>          Issue Type: Improvement
>          Components: task-controller
>    Affects Versions: 0.22.0
>            Reporter: Todd Lipcon
>            Assignee: Todd Lipcon
>            Priority: Trivial
>             Fix For: 0.22.0, 1.1.0
>
>         Attachments: mapreduce-2103-20x.patch, mapreduce-2103.txt, 
> mapreduce-2103.txt, mr-2103-0.22.patch
>
>
> The task-controller currently checks that "other" users don't have read 
> permissions. This is unnecessary - we just need to make it's not executable. 
> The debian policy manual explains it well:
> {quote}
> Setuid and setgid executables should be mode 4755 or 2755 respectively, and 
> owned by the appropriate user or group. They should not be made unreadable 
> (modes like 4711 or 2711 or even 4111); doing so achieves no extra security, 
> because anyone can find the binary in the freely available Debian package; it 
> is merely inconvenient. For the same reason you should not restrict read or 
> execute permissions on non-set-id executables.
> Some setuid programs need to be restricted to particular sets of users, using 
> file permissions. In this case they should be owned by the uid to which they 
> are set-id, and by the group which should be allowed to execute them. They 
> should have mode 4754; again there is no point in making them unreadable to 
> those users who must not be allowed to execute them.
> {quote}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to