mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Review Request 64630: Narrowed task sandbox permissions from 0755 to 0750.
Date Fri, 15 Dec 2017 00:09:58 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64630/
-----------------------------------------------------------

Review request for mesos, Andrew Schwartzmeyer, Jie Yu, and Vinod Kone.


Bugs: MESOS-8332
    https://issues.apache.org/jira/browse/MESOS-8332


Repository: mesos


Description
-------

Since task sandboxes can contain private data, we should not
make them accessible to others by default. This changes all the
places that create a task sandbox directory to use a helper API
`slave::paths::createSandboxPath` that consistently deals with
setting the directory mode and ownership.

A number of tests depended on the previous behavior where
failing to change the ownership was logged but did not cause
a failure. Depending on the test, these were updated to either
disable the agent `switch_user` flag, or to specify the current
user in the task launch message.


Diffs
-----

  src/slave/containerizer/mesos/containerizer.cpp 7ab0b07f689f872573ca458ae47cd6426ebc0365

  src/slave/containerizer/mesos/paths.cpp 8a188a918873eef468a984b80f5ea7ebaa8fb923 
  src/slave/http.cpp ed22b9f6bfa1c480a0672ce25d364bba6e33a200 
  src/slave/paths.hpp 9cbacd8da62e7c7386dca7031fc09a46ae773161 
  src/slave/paths.cpp fca2a0eec2a75ed76028ea54dc992502275d4bce 
  src/tests/api_tests.cpp 86cbba4fab5e7a45298d17f3f2969391cc18be68 
  src/tests/master_allocator_tests.cpp 9bca27c7612b9ac4813f794bcc9ed38aeed078e5 
  src/tests/master_authorization_tests.cpp 676543a5ad1bb5d47011fc2a8b05dfaaeef18c64 
  src/tests/slave_authorization_tests.cpp 4ba0b8e96614a2df0daec576c08fe02462ccaa27 


Diff: https://reviews.apache.org/r/64630/diff/1/


Testing
-------

make check (Fedora 27)


Thanks,

James Peach


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message