[
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244970#comment-16244970
]
Eric Yang edited comment on YARN-7430 at 11/9/17 12:13 AM:
-----------------------------------------------------------
[~ebadger] They are two separate problems. A lot of conversation here belongs
to YARN-7446. This issue is to tackle the problem that we have a implicit
privilege escalation security hole in the default shipped configuration when
the following condition is met:
# Privileged container is enabled.
# Deploy docker container with user mapping to a different uid:gid than host
OS, or using a numeric username to launch app.
# Data output from container is written as someone else or with root group
ownership.
In summary, to prevent privileges escalation, we should always pass in primary
group to improve security.
was (Author: eyang):
[~ebadger] They are two separate problems. A lot of conversation here belongs
to YARN-7446. This issue is to tackle the problem that we have a implicit
privilege escalation security hole in the default shipped configuration when
the following condition is met:
# Privileged container is enabled.
# Deploy docker container with user mapping to a different uid:gid than host
OS, or using a numeric username to launch app.
# Data output from container is written with as someone else or root group.
In summary, to prevent privileges escalation, we should always pass in primary
group to improve security.
> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
> Key: YARN-7430
> URL: https://issues.apache.org/jira/browse/YARN-7430
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: security, yarn
> Affects Versions: 2.9.0, 3.0.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Blocker
> Attachments: YARN-7430.001.patch
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to
> enforce user and group for the running user. In YARN-6623, this translated
> to --user=test --group-add=group1. The code no longer enforce group
> correctly for launched process.
> In addition, the implementation in YARN-6623 requires the user and group
> information to exist in container to translate username and group to uid/gid.
> For users on LDAP, there is no good way to populate container with user and
> group information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
