Re: Review Request 50200: Made the agent fetch files as the task user.

Tue, 19 Jul 2016 13:59:25 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/50200/#review142833
-----------------------------------------------------------




src/launcher/fetcher.cpp (lines 519 - 525)
<https://reviews.apache.org/r/50200/#comment208505>

    An open discussion:
    
    After looking at os::chown(), we should not only change the file owner, but 
also the groups. So only get and set the uid looks insufficient to me. We 
should consider to do the same to the gid and the supplimentary groups (please 
look at /mesos/launch.cpp for examples).


- Gilbert Song


On July 19, 2016, 1:53 p.m., Greg Mann wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/50200/
> -----------------------------------------------------------
> 
> (Updated July 19, 2016, 1:53 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Jie Yu, and Joerg Schad.
> 
> 
> Bugs: mesos-5845
>     https://issues.apache.org/jira/browse/mesos-5845
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> To ensure that a task cannot fetch root-protected
> files from the local filesystem when running as a
> non-root user, this patch changes the fetcher to
> fetch files as the task user.
> 
> 
> Diffs
> -----
> 
>   src/launcher/fetcher.cpp 0539b0182bd4a7178f103dddd1ab4fee8fc79eda 
>   src/tests/fetcher_tests.cpp d38ce6e750dc828ef5af4a27fac76327cc4cb56c 
> 
> Diff: https://reviews.apache.org/r/50200/diff/
> 
> 
> Testing
> -------
> 
> A new test was added to the fetcher tests: 
> `FetcherTest.ROOT_RootProtectedFileURI`.
> 
> `sudo make check` was used to test on both OSX and CentOS 7.
> 
> Note that two of the fetcher tests fail for me when run as root on OSX. I saw 
> the following on my OSX 10.10.5 system:
> ```
> [  FAILED  ] FetcherCacheTest.LocalUncachedExtract
> [  FAILED  ] FetcherCacheHttpTest.HttpMixed
> ```
> 
> These failures are already tracked here: 
> https://issues.apache.org/jira/browse/MESOS-4890
> 
> 
> Thanks,
> 
> Greg Mann
> 
>

Reply via email to