Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-5845

The fetcher can access any local file as root

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.0.0
    • fetcher
    • Mesosphere Sprint 39
    • 3

    Description

      The Mesos fetcher currently runs as root and does a blind cp+chown of any file:// URI into the task's sandbox, to be owned by the task user. Even if frameworks are restricted from running tasks as root, it seems they can still access root-protected files in this way. We should secure the fetcher so that it has the filesystem permissions of the user its associated task is being run as. One option would be to run the fetcher as the same user that the task will run as.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. MESOS-5218 Fetcher should not chown the entire sandbox.

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MESOS-5924 Fetcher may print logging error when run as unprivileged user

          • Major - Major loss of function.
          • Open

          Activity

            People

              greggomann Greg Mann
              greggomann Greg Mann
              Jie Yu Jie Yu
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: