Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
Mesosphere Sprint 2018-20, Mesosphere Sprint 2018-21, Mesosphere Sprint 2018-22, Mesosphere Sprint 2018-23
-
3
Description
If not all file descriptors are carefully open'ed with O_CLOEXEC the Mesos agent might leak them into forked processes e.g., executors. This presents a potential security issue as such processes can interfere with the agent.
The current approach is to fix all invocations of open to always set O_CLOEXEC, but this approach breaks down when using 3rdparty libraries as there is no reliable way to patch unbundled dependencies.
It seems a more reliable approach would be to close all but a whitelisted set of file descriptors when after fork, but before the exec*. It should be possible to assemble such a whitelist for the typical use cases (e.g., in for the Mesos containerizer's launch) and pass it to a modified functions to start subprocess. We might need to audit uses of raw fork in the code.
Attachments
Issue Links
- breaks
-
MESOS-8913 Resource provider manager registry leaks file descriptors into executors.
- Resolved
- causes
-
MESOS-8913 Resource provider manager registry leaks file descriptors into executors.
- Resolved