[
https://issues.apache.org/jira/browse/MAPREDUCE-7526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran updated MAPREDUCE-7526:
--------------------------------------
Labels: security (was: )
> Insecure Temporary File Permissions in HadoopArchiveLogs Leads to Information
> Disclosure
> ----------------------------------------------------------------------------------------
>
> Key: MAPREDUCE-7526
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-7526
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Affects Versions: 3.4.1
> Reporter: Cyl
> Priority: Minor
> Labels: security
>
> {*}Description{*}:
> h3. Summary
> The {{HadoopArchiveLogs}} tool creates temporary shell script files with
> world-readable permissions (0644), allowing any local user to read sensitive
> job information including application IDs, usernames, and internal HDFS
> paths. This enables local information disclosure that could aid further
> attacks.
> h3. Details
> In {{{}HadoopArchiveLogs.java{}}}, the {{run()}} method creates a temporary
> script file using {{{}File.createTempFile(){}}}:
>
> //
> hadoop-tools/hadoop-archive-logs/src/main/java/org/apache/hadoop/tools/HadoopArchiveLogs.java
> // Line 200
> File localScript = File.createTempFile("hadoop-archive-logs-", ".sh");
> generateScript(localScript);
>
> The {{File.createTempFile()}} API inherits system umask settings. On most
> Linux systems with default umask 022, this creates files with permissions
> {{-rw-r--r--}} (0644), making them readable by all users on the system.
> The {{generateScript()}} method (lines 497-550) then writes sensitive
> information to this file:
>
> void generateScript(File localScript) throws IOException {
> // ...
> fw.write("\\tappId=\\"");
> fw.write(context.getAppId()); // Application ID
> fw.write("\\"\\n\\tuser=\\"");
> fw.write(context.getUser()); // Username
> fw.write("\\"\\n\\tworkingDir=\\"");
> fw.write(context.getWorkingDir().toString()); // Internal HDFS path
> // ...
> }
> Additionally, the temporary file is never explicitly deleted after use,
> leaving it persistent in {{{}/tmp{}}}.
> h3. Impact
> This vulnerability enables {*}local information disclosure{*}:
> * {*}Application IDs{*}: Allows enumeration of YARN jobs running on the
> cluster
> * {*}Usernames{*}: Reveals which users are submitting jobs
> * {*}Internal Paths{*}: Exposes HDFS directory structure and log locations
> * {*}Persistent Exposure{*}: Files remain in {{/tmp}} indefinitely as they
> are never deleted
> A local attacker with low-privilege shell access can harvest this information
> for reconnaissance before conducting more targeted attacks against specific
> users or applications.
> h3. Occurrences
> ||Permalink||Description||
> |[https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-archive-logs/src/main/java/org/apache/hadoop/tools/HadoopArchiveLogs.java#L200]|Insecure
> {{File.createTempFile()}} call creating world-readable temp file|
> |[https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-archive-logs/src/main/java/org/apache/hadoop/tools/HadoopArchiveLogs.java#L497-L550]|{{generateScript()}}
> method writing sensitive information to the temp file|
> h3. Recommended Fix
> Replace {{File.createTempFile()}} with {{Files.createTempFile()}} using
> explicit secure permissions:
> FileAttribute<Set<PosixFilePermission>> perms =
>
> PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------"));
> Path localScriptPath = Files.createTempFile("hadoop-archive-logs-", ".sh",
> perms);
> File localScript = localScriptPath.toFile();
> ```
> Additionally, ensure cleanup in the finally block:
> ```java
> finally {
> if (localScript != null) {
> localScript.delete();
> }
> }
> ```
> {{}}
>
>
> {{finally { if (localScript != null) \{
> localScript.delete();
> }
> }}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
