From 2ac029b949f041da2ee04da441c5f9f85e1f2c64 Mon Sep 17 00:00:00 2001 From: Eric Badger Date: Tue, 13 Aug 2019 16:16:49 +0000 Subject: [PATCH] YARN-9442. container working directory has group read permissions. Contributed by Jim Brennan. --- .../impl/container-executor.c | 71 +++++++++++++------ .../test/test-container-executor.c | 11 +++ 2 files changed, 60 insertions(+), 22 deletions(-) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c index 69dee3578d0..318356d2a31 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c @@ -736,8 +736,8 @@ int check_dir(const char* npath, mode_t st_mode, mode_t desired, int finalCompon */ static int create_container_directories(const char* user, const char *app_id, const char *container_id, char* const* local_dir, char* const* log_dir, const char *work_dir) { - // create dirs as 0750 - const mode_t perms = S_IRWXU | S_IRGRP | S_IXGRP; + // create dirs as 0710 + const mode_t perms = S_IRWXU | S_IXGRP; if (user == NULL || app_id == NULL || container_id == NULL || local_dir == NULL || log_dir == NULL || work_dir == NULL || user_detail == NULL || user_detail->pw_name == NULL) { @@ -779,6 +779,9 @@ static int create_container_directories(const char* user, const char *app_id, } else { sprintf(combined_name, "%s/%s", app_id, container_id); char* const* log_dir_ptr; + // Log dirs need 750 access + const mode_t logdir_perms = S_IRWXU | S_IRGRP | S_IXGRP; + for(log_dir_ptr = log_dir; *log_dir_ptr != NULL; ++log_dir_ptr) { char *container_log_dir = get_app_log_directory(*log_dir_ptr, combined_name); int check = check_nm_local_dir(nm_uid, *log_dir_ptr); @@ -792,7 +795,7 @@ static int create_container_directories(const char* user, const char *app_id, if (container_log_dir == NULL) { free(combined_name); return OUT_OF_MEMORY; - } else if (mkdirs(container_log_dir, perms) != 0) { + } else if (mkdirs(container_log_dir, logdir_perms) != 0) { free(container_log_dir); } else { result = 0; @@ -1237,6 +1240,37 @@ int create_container_log_dirs(const char *container_id, const char *app_id, return 0; } +/** + * Function to create the application directories. + * Returns pointer to primary_app_dir or NULL if it fails. + */ +static char *create_app_dirs(const char *user, + const char *app_id, + char* const* local_dirs) +{ + // 750 + mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP; + char* const* nm_root; + char *primary_app_dir = NULL; + for(nm_root=local_dirs; *nm_root != NULL; ++nm_root) { + char *app_dir = get_app_directory(*nm_root, user, app_id); + if (app_dir == NULL) { + // try the next one + } else if (mkdirs(app_dir, permissions) != 0) { + free(app_dir); + } else if (primary_app_dir == NULL) { + primary_app_dir = app_dir; + } else { + free(app_dir); + } + } + + if (primary_app_dir == NULL) { + fprintf(LOGFILE, "Did not create any app directories\n"); + } + return primary_app_dir; +} + /** * Function to prepare the application directories for the container. */ @@ -1280,25 +1314,9 @@ int initialize_app(const char *user, const char *app_id, return -1; } - // 750 - mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP; - char* const* nm_root; - char *primary_app_dir = NULL; - for(nm_root=local_dirs; *nm_root != NULL; ++nm_root) { - char *app_dir = get_app_directory(*nm_root, user, app_id); - if (app_dir == NULL) { - // try the next one - } else if (mkdirs(app_dir, permissions) != 0) { - free(app_dir); - } else if (primary_app_dir == NULL) { - primary_app_dir = app_dir; - } else { - free(app_dir); - } - } - + // Create application directories + char *primary_app_dir = create_app_dirs(user, app_id, local_dirs); if (primary_app_dir == NULL) { - fprintf(LOGFILE, "Did not create any app directories\n"); return -1; } @@ -1738,8 +1756,17 @@ int create_local_dirs(const char * user, const char *app_id, goto cleanup; } } + + // Create application directories if not already created by localization + char *primary_app_dir = create_app_dirs(user, app_id, local_dirs); + if (primary_app_dir == NULL) { + exit_code = COULD_NOT_CREATE_WORK_DIRECTORIES; + goto cleanup; + } + free(primary_app_dir); + // Create container specific directories as user. If there are no resources - // to localize for this container, app-directories and log-directories are + // to localize for this container, log-directories are // also created automatically as part of this call. int directory_create_result = create_container_directories(user, app_id, container_id, local_dirs, log_dirs, work_dir); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c index 2ff43c01755..f75a5eafd69 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c @@ -1039,6 +1039,17 @@ void test_launch_container(const char* app, int https) { printf("FAIL: failed to create container directory %s\n", container_dir); exit(1); } + // Verify no group read permission on container_dir + struct stat st_buf; + if (stat(container_dir, &st_buf) < 0) { + printf("FAIL: failed to stat container directory %s\n", container_dir); + exit(1); + } + if ((st_buf.st_mode & S_IRGRP) != 0) { + printf("FAIL: group read permission should not be set on " + "container directory %s\n", container_dir); + exit(1); + } char touchfile[100000]; sprintf(touchfile, "%s/foobar", container_dir); if (access(touchfile, R_OK) != 0) {