Threat Finder

Threat ID
2777
Threat Date
06/17/2013
Threat Name
Running tasks using task tracker account
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
Medium
Database Type
Hadoop
Category
Misconfigurations
Versions
All versions of Hadoop
Summary
When using the default task controller all jobs submitted by any user will run as root, and will have the ability to overwrite, delete, or damage data regardless of ownership or permissions.
Overview
Task controllers are classes in the Hadoop MapReduce framework that define how a user's map and reduce tasks are launched and controlled. The controller is selected specifying the java plugin to use in parameter mapred.task.tracker.task-controller on file conf/mapred-site.xml. Currently, there are two task controllers available in Hadoop:
- org.apache.hadoop.mapred.DefaultTaskController: the default task controller, runs the tasks as the task tracker user, usually root, and will have the ability to overwrite, delete, or damage data regardless of ownership or permissions.
- org.apache.hadoop.mapred.LinuxTaskController: this task controller runs the tasks as the user who submitted the job. It uses a setuid executable that is included in the Hadoop distribution. The task tracker uses this executable to launch and kill tasks. The setuid executable switches to the user who has submitted the job and launches or kills the tasks. For maximum security, this task controller sets up restricted permissions and user/group ownership of local files and directories used by the tasks such as the job jar files, intermediate files, task log files and distributed cache files. Because of this, except the job owner and tasktracker, no other user can access any of the local files/directories including those localized as part of the distributed cache.
References
http://hadoop.apache.org/docs/stable/cluster_setup.html#Configuration+Files
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by