----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/60101/#review178134 -----------------------------------------------------------
Chatted with Silas offline. So the problem we are trying to solve here is that all Mesos created directories have a [755 permission](https://github.com/apache/mesos/blob/9cfae1bdea14ab07b879d5aba8ec2c8ac2f76693/3rdparty/stout/include/stout/os/mkdir.hpp#L40) and in some environments for some directories it's too open. We need to restrict certain directories but I think with this RR: - Simply use another hard-coded value to restrict "others" and not "group" is probably too inflexible. - Right now even if you do 'umask 0027', the fetcher is going to [chmod executables back to 755](https://github.com/apache/mesos/blob/9cfae1bdea14ab07b879d5aba8ec2c8ac2f76693/src/launcher/fetcher.cpp#L267). - We should probably give the same treatment to sandboxes since the security concern there is the same. So perhaps an agent flag `--executor_dir_mode` defaulting to `755` and chmoding both the user fetcher cache dir and the executor dir using this mode would solve this problem? - Jiang Yan Xu On June 16, 2017, 4:45 p.m., Silas Snider wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/60101/ > ----------------------------------------------------------- > > (Updated June 16, 2017, 4:45 p.m.) > > > Review request for mesos, Joseph Wu and Jiang Yan Xu. > > > Bugs: MESOS-7298 > https://issues.apache.org/jira/browse/MESOS-7298 > > > Repository: mesos > > > Description > ------- > > Prevent the fetcher from setting overly-permissive fs permissions. > > > Diffs > ----- > > src/launcher/fetcher.cpp 42980f5a4a40b72f754156469e9fe60a952d1d87 > > > Diff: https://reviews.apache.org/r/60101/diff/1/ > > > Testing > ------- > > > Thanks, > > Silas Snider > >
