> On July 20, 2016, 5:45 p.m., Gilbert Song wrote: > > src/tests/fetcher_tests.cpp, line 107 > > <https://reviews.apache.org/r/50200/diff/2/?file=1447747#file1447747line107> > > > > `nobody` seems safe enough since it should exist in all Unix system. > > Joseph Wu wrote: > Side note: one of our tests creates a user: > > https://github.com/apache/mesos/blob/db305bb3502cc90412bd3548cc6481fd829a5ee5/src/tests/containerizer/isolator_tests.cpp#L1563-L1592
Joseph, thanks for that reference! Interesting... ideally, I _would_ to make a new user for the purposes of this test. However, I'm not sure if there's a platform-independent way to do this, so it might require an `#ifdef`? OSX doesn't have `useradd`, for example. Since both linux and OSX do have the "nobody" user, this single piece of code works for those platforms, so it might be preferable? - Greg ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/50200/#review142972 ----------------------------------------------------------- On July 20, 2016, 8:01 p.m., Greg Mann wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/50200/ > ----------------------------------------------------------- > > (Updated July 20, 2016, 8:01 p.m.) > > > Review request for mesos, Gilbert Song, Jie Yu, and Joerg Schad. > > > Bugs: mesos-5845 > https://issues.apache.org/jira/browse/mesos-5845 > > > Repository: mesos > > > Description > ------- > > To ensure that a task cannot fetch root-protected > files from the local filesystem when running as a > non-root user, this patch changes the fetcher to > fetch files as the task user. > > > Diffs > ----- > > src/launcher/fetcher.cpp 0539b0182bd4a7178f103dddd1ab4fee8fc79eda > src/tests/fetcher_tests.cpp d38ce6e750dc828ef5af4a27fac76327cc4cb56c > > Diff: https://reviews.apache.org/r/50200/diff/ > > > Testing > ------- > > A new test was added to the fetcher tests: > `FetcherTest.ROOT_RootProtectedFileURI`. > > `sudo make check` was used to test on both OSX and CentOS 7. > > Note that two of the fetcher tests fail for me when run as root on OSX. I saw > the following on my OSX 10.10.5 system: > ``` > [ FAILED ] FetcherCacheTest.LocalUncachedExtract > [ FAILED ] FetcherCacheHttpTest.HttpMixed > ``` > > These failures are already tracked here: > https://issues.apache.org/jira/browse/MESOS-4890 > > > Thanks, > > Greg Mann > >
