Cyl created MAPREDUCE-7526:
------------------------------
Summary: Insecure Temporary File Permissions in HadoopArchiveLogs
Leads to Information Disclosure
Key: MAPREDUCE-7526
URL: https://issues.apache.org/jira/browse/MAPREDUCE-7526
Project: Hadoop Map/Reduce
Issue Type: Bug
Affects Versions: 3.4.1
Reporter: Cyl
{*}Description{*}:
h3. Summary
The {{HadoopArchiveLogs}} tool creates temporary shell script files with
world-readable permissions (0644), allowing any local user to read sensitive
job information including application IDs, usernames, and internal HDFS paths.
This enables local information disclosure that could aid further attacks.
h3. Details
In {{{}HadoopArchiveLogs.java{}}}, the {{run()}} method creates a temporary
script file using {{{}File.createTempFile(){}}}:
//
hadoop-tools/hadoop-archive-logs/src/main/java/org/apache/hadoop/tools/HadoopArchiveLogs.java
// Line 200
File localScript = File.createTempFile("hadoop-archive-logs-", ".sh");
generateScript(localScript);
The {{File.createTempFile()}} API inherits system umask settings. On most Linux
systems with default umask 022, this creates files with permissions
{{-rw-r--r--}} (0644), making them readable by all users on the system.
The {{generateScript()}} method (lines 497-550) then writes sensitive
information to this file:
void generateScript(File localScript) throws IOException {
// ...
fw.write("\\tappId=\\"");
fw.write(context.getAppId()); // Application ID
fw.write("\\"\\n\\tuser=\\"");
fw.write(context.getUser()); // Username
fw.write("\\"\\n\\tworkingDir=\\"");
fw.write(context.getWorkingDir().toString()); // Internal HDFS path
// ...
}
Additionally, the temporary file is never explicitly deleted after use, leaving
it persistent in {{{}/tmp{}}}.
h3. Impact
This vulnerability enables {*}local information disclosure{*}:
* {*}Application IDs{*}: Allows enumeration of YARN jobs running on the cluster
* {*}Usernames{*}: Reveals which users are submitting jobs
* {*}Internal Paths{*}: Exposes HDFS directory structure and log locations
* {*}Persistent Exposure{*}: Files remain in {{/tmp}} indefinitely as they are
never deleted
A local attacker with low-privilege shell access can harvest this information
for reconnaissance before conducting more targeted attacks against specific
users or applications.
h3. Occurrences
||Permalink||Description||
|[https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-archive-logs/src/main/java/org/apache/hadoop/tools/HadoopArchiveLogs.java#L200]|Insecure
{{File.createTempFile()}} call creating world-readable temp file|
|[https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-archive-logs/src/main/java/org/apache/hadoop/tools/HadoopArchiveLogs.java#L497-L550]|{{generateScript()}}
method writing sensitive information to the temp file|
h3. Recommended Fix
Replace {{File.createTempFile()}} with {{Files.createTempFile()}} using
explicit secure permissions:
FileAttribute<Set<PosixFilePermission>> perms =
PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------"));
Path localScriptPath = Files.createTempFile("hadoop-archive-logs-", ".sh",
perms);
File localScript = localScriptPath.toFile();
```
Additionally, ensure cleanup in the finally block:
```java
finally {
if (localScript != null) {
localScript.delete();
}
}
```
{{}}
{{finally { if (localScript != null) \{
localScript.delete();
}
}}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
