YARN-9442. container working directory has group read permissions. Contributed by Jim Brennan.

This commit is contained in:
Eric Badger 2019-08-13 16:16:49 +00:00
parent 274966e675
commit 2ac029b949
2 changed files with 60 additions and 22 deletions

View File

@ -736,8 +736,8 @@ int check_dir(const char* npath, mode_t st_mode, mode_t desired, int finalCompon
*/ */
static int create_container_directories(const char* user, const char *app_id, static int create_container_directories(const char* user, const char *app_id,
const char *container_id, char* const* local_dir, char* const* log_dir, const char *work_dir) { const char *container_id, char* const* local_dir, char* const* log_dir, const char *work_dir) {
// create dirs as 0750 // create dirs as 0710
const mode_t perms = S_IRWXU | S_IRGRP | S_IXGRP; const mode_t perms = S_IRWXU | S_IXGRP;
if (user == NULL || app_id == NULL || container_id == NULL || if (user == NULL || app_id == NULL || container_id == NULL ||
local_dir == NULL || log_dir == NULL || work_dir == NULL || local_dir == NULL || log_dir == NULL || work_dir == NULL ||
user_detail == NULL || user_detail->pw_name == NULL) { user_detail == NULL || user_detail->pw_name == NULL) {
@ -779,6 +779,9 @@ static int create_container_directories(const char* user, const char *app_id,
} else { } else {
sprintf(combined_name, "%s/%s", app_id, container_id); sprintf(combined_name, "%s/%s", app_id, container_id);
char* const* log_dir_ptr; char* const* log_dir_ptr;
// Log dirs need 750 access
const mode_t logdir_perms = S_IRWXU | S_IRGRP | S_IXGRP;
for(log_dir_ptr = log_dir; *log_dir_ptr != NULL; ++log_dir_ptr) { for(log_dir_ptr = log_dir; *log_dir_ptr != NULL; ++log_dir_ptr) {
char *container_log_dir = get_app_log_directory(*log_dir_ptr, combined_name); char *container_log_dir = get_app_log_directory(*log_dir_ptr, combined_name);
int check = check_nm_local_dir(nm_uid, *log_dir_ptr); int check = check_nm_local_dir(nm_uid, *log_dir_ptr);
@ -792,7 +795,7 @@ static int create_container_directories(const char* user, const char *app_id,
if (container_log_dir == NULL) { if (container_log_dir == NULL) {
free(combined_name); free(combined_name);
return OUT_OF_MEMORY; return OUT_OF_MEMORY;
} else if (mkdirs(container_log_dir, perms) != 0) { } else if (mkdirs(container_log_dir, logdir_perms) != 0) {
free(container_log_dir); free(container_log_dir);
} else { } else {
result = 0; result = 0;
@ -1237,6 +1240,37 @@ int create_container_log_dirs(const char *container_id, const char *app_id,
return 0; return 0;
} }
/**
* Function to create the application directories.
* Returns pointer to primary_app_dir or NULL if it fails.
*/
static char *create_app_dirs(const char *user,
const char *app_id,
char* const* local_dirs)
{
// 750
mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP;
char* const* nm_root;
char *primary_app_dir = NULL;
for(nm_root=local_dirs; *nm_root != NULL; ++nm_root) {
char *app_dir = get_app_directory(*nm_root, user, app_id);
if (app_dir == NULL) {
// try the next one
} else if (mkdirs(app_dir, permissions) != 0) {
free(app_dir);
} else if (primary_app_dir == NULL) {
primary_app_dir = app_dir;
} else {
free(app_dir);
}
}
if (primary_app_dir == NULL) {
fprintf(LOGFILE, "Did not create any app directories\n");
}
return primary_app_dir;
}
/** /**
* Function to prepare the application directories for the container. * Function to prepare the application directories for the container.
*/ */
@ -1280,25 +1314,9 @@ int initialize_app(const char *user, const char *app_id,
return -1; return -1;
} }
// 750 // Create application directories
mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP; char *primary_app_dir = create_app_dirs(user, app_id, local_dirs);
char* const* nm_root;
char *primary_app_dir = NULL;
for(nm_root=local_dirs; *nm_root != NULL; ++nm_root) {
char *app_dir = get_app_directory(*nm_root, user, app_id);
if (app_dir == NULL) {
// try the next one
} else if (mkdirs(app_dir, permissions) != 0) {
free(app_dir);
} else if (primary_app_dir == NULL) {
primary_app_dir = app_dir;
} else {
free(app_dir);
}
}
if (primary_app_dir == NULL) { if (primary_app_dir == NULL) {
fprintf(LOGFILE, "Did not create any app directories\n");
return -1; return -1;
} }
@ -1738,8 +1756,17 @@ int create_local_dirs(const char * user, const char *app_id,
goto cleanup; goto cleanup;
} }
} }
// Create application directories if not already created by localization
char *primary_app_dir = create_app_dirs(user, app_id, local_dirs);
if (primary_app_dir == NULL) {
exit_code = COULD_NOT_CREATE_WORK_DIRECTORIES;
goto cleanup;
}
free(primary_app_dir);
// Create container specific directories as user. If there are no resources // Create container specific directories as user. If there are no resources
// to localize for this container, app-directories and log-directories are // to localize for this container, log-directories are
// also created automatically as part of this call. // also created automatically as part of this call.
int directory_create_result = create_container_directories(user, app_id, int directory_create_result = create_container_directories(user, app_id,
container_id, local_dirs, log_dirs, work_dir); container_id, local_dirs, log_dirs, work_dir);

View File

@ -1039,6 +1039,17 @@ void test_launch_container(const char* app, int https) {
printf("FAIL: failed to create container directory %s\n", container_dir); printf("FAIL: failed to create container directory %s\n", container_dir);
exit(1); exit(1);
} }
// Verify no group read permission on container_dir
struct stat st_buf;
if (stat(container_dir, &st_buf) < 0) {
printf("FAIL: failed to stat container directory %s\n", container_dir);
exit(1);
}
if ((st_buf.st_mode & S_IRGRP) != 0) {
printf("FAIL: group read permission should not be set on "
"container directory %s\n", container_dir);
exit(1);
}
char touchfile[100000]; char touchfile[100000];
sprintf(touchfile, "%s/foobar", container_dir); sprintf(touchfile, "%s/foobar", container_dir);
if (access(touchfile, R_OK) != 0) { if (access(touchfile, R_OK) != 0) {