[jira] [Commented] (YARN-7590) Improve container-executor validation check

Fri, 01 Dec 2017 10:03:42 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16274708#comment-16274708
 ] 

Eric Yang commented on YARN-7590:
---------------------------------

There is currently two proposals to address this issue:

h3. Proposals

# Container executor should link to a C based XML parser to get local 
directories from yarn-site.xml.
#  Add configuration to container executor config for local directories for 
container executor to verify allowed prefix path.  

h3. Obstacle

If we choose option 1, expat and libxml2 are license compatible libraries for 
this purpose.  However, both parsers had security vulnerability as well that 
allow hijack of doctype to connect to remote server for DTD validation.  The 
implementation must disable remote schema validation.

If we choose option 2, this design was originally proposed 6+ years ago, but 
implementation was lost in MAPREDUCE-2413.  If we put the duplicated properties 
on separate files, then it is likely to get lost during code optimization 
again.  I recommend to avoid this path.

> Improve container-executor validation check
> -------------------------------------------
>
>                 Key: YARN-7590
>                 URL: https://issues.apache.org/jira/browse/YARN-7590
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: security, yarn
>            Reporter: Eric Yang
>
> There is minimum check for prefix path for container-executor.  If YARN is 
> compromised, attacker  can use container-executor to change system files 
> ownership:
> {code}
> /usr/local/hadoop/bin/container-executor spark yarn 0 etc /home/yarn/tokens 
> /home/spark / ls
> {code}
> This will change /etc to be owned by spark user:
> {code}
> # ls -ld /etc
> drwxr-s---. 110 spark hadoop 8192 Nov 21 20:00 /etc
> {code}
> Spark user can rewrite /etc files to gain more access.  We can improve this 
> with additional check in container-executor:
> # Make sure the prefix path is same as the one in yarn-site.xml, and 
> yarn-site.xml is owned by root, 644, and marked as final in property.
> # Make sure the user path is not a symlink, usercache is not a symlink.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to