[
https://issues.apache.org/jira/browse/YARN-6472?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Greg Phillips updated YARN-6472:
--------------------------------
Attachment: YARN-6472.001.patch
* Regex to prevent unauthorized shell commands from executing has been improved
to match backticks (i.e. `$exec`). Tests have been added for this functionality
* The DelegatingLinuxContainerRuntime now checks whether the JavaSandbox is
enabled prior to checking whether a docker container is requested.
* The generated java policy directory is now created lazily only prior to the
creation of a java.policy file.
> Possible Java sandbox improvements
> ----------------------------------
>
> Key: YARN-6472
> URL: https://issues.apache.org/jira/browse/YARN-6472
> Project: Hadoop YARN
> Issue Type: Bug
> Reporter: Miklos Szegedi
> Assignee: Greg Phillips
> Attachments: YARN-6472.001.patch
>
>
> I set the sandbox to enforcing mode. Unfortunately I was able to break out of
> the sandbox running native code with the following command:
> {code}
> cmd = "$JAVA_HOME/bin/java %s -Xmx825955249
> org.apache.hadoop.yarn.applications.helloworld.HelloWorld `touch
> ../../helloworld`" + \
> " 1><LOG_DIR>/AppMaster.stdout 2><LOG_DIR>/AppMaster.stderr"
> $ ls .../nm-local-dir/usercache/root/appcache/
> helloworld
> {code}
> Also, if I am not using sandboxes, could we create the nm-sandbox-policies
> directory (empty) lazily?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
