Threat Finder

Threat ID
2778
Threat Date
06/19/2013
Threat Name
HDFS permissions disabled
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
Medium
Database Type
Hadoop
Category
Improper Access Controls
Versions
All versions of Hadoop
Summary
HDFS has a permissions model for files and directories that is enabled by default and should be kept enabled.
Overview
The Hadoop Distributed File System (HDFS) implements a permissions model for files and directories that shares much of the POSIX model: each file and directory is associated with an owner and a group. The file or directory has separate permissions for the user that is the owner, for other users that are members of the group, and for all other users. There are three types of permission: the read permission ( r ), the write permission ( w ), and the execute permission ( x ). The read permission is required to read files or list the contents of a directory. The write permission is required to write a file, or for a directory, to create or delete files or directories in it. The execute permission is ignored for a file because you can't execute a file on HDFS (unlike POSIX), and for a directory this permission is required to access its children.
When permissions checking is enabled, the owner permissions are checked if the client's username matches the owner, and the group permissions are checked if the client is a member of the group; otherwise, the other permissions are checked.
Permissions are enabled by default.
References
http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by