Re: Review Request 57625: Minor refactoring and clean up in ambari-server

Wed, 15 Mar 2017 08:33:07 -0700 


> On March 15, 2017, 9:51 a.m., Robert Levas wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java
> > Lines 166-167 (patched)
> > <https://reviews.apache.org/r/57625/diff/1/?file=1664892#file1664892line166>
> >
> >     This is really dangerous and could be considered a security issue.  
> > Same with the previous `runcommand` calls.  We need to see what happens if 
> > `security.server.keys_dir` is set to something like
> >     
> >     ```
> >     ;touch /tmp/security_issue;
> >     ```
> 
> Vitalyi Brodetskyi wrote:
>     Robert, this code works for a long time in that way, so i think it's not 
> urgent. Maybe we can create separate jira to check how it works with "touch 
> /tmp/security_issue" and try to fix it in next release? Sumit FYI

I tested Oracle Java and Open JDK version 1.7 and 1.8.  All 4 JVMs tokenize the 
command string and this prevents any injection. I am dropping this issue.


- Robert


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57625/#review169004
-----------------------------------------------------------


On March 14, 2017, 6:35 p.m., Vitalyi Brodetskyi wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57625/
> -----------------------------------------------------------
> 
> (Updated March 14, 2017, 6:35 p.m.)
> 
> 
> Review request for Ambari, Robert Levas, Sumit Mohanty, Sid Wagle, and Yusaku 
> Sako.
> 
> 
> Bugs: AMBARI-20453
>     https://issues.apache.org/jira/browse/AMBARI-20453
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Minor refactoring and clean up in ambari-server
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/assemblies/server.xml 768ba68 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java
>  8d54acb 
>   ambari-server/src/main/package/rpm/postinstall.sh 1e8e0f0 
>   ambari-server/src/main/python/ambari_server/resourceFilesKeeper.py 188f3ff 
>   ambari-server/src/main/python/ambari_server/serverConfiguration.py 3dd165b 
>   ambari-server/src/main/resources/scripts/check_ambari_permissions.py 
> PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/57625/diff/1/
> 
> 
> Testing
> -------
> 
> mvn clean test
> 
> 
> Thanks,
> 
> Vitalyi Brodetskyi
> 
>

Reply via email to