Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

World Write Permission on cgroup.event_control

Labels:
avatar
author-rank luisfeg
New Contributor

Created on ‎10-29-2019 10:16 AM - last edited on ‎10-29-2019 12:01 PM by Community Manager Community Manager

I like to change file permissions for security hardening

These files have 'w' bit in others, is it possible to change to 220 manually?

--w--w--w- 1 root root 0 Oct 29 18:41 /var/run/cloudera-scm-agent/cgroups/memory/<service_name>/cgroup.event_control
--w--w--w- 1 root root 0 Oct 29 18:43 /var/run/cloudera-scm-agent/cgroups/memory/<service_name>/cgroup.event_control

 

These files are newly created every time that the service is started, can permissions be set to 220 permanently instead of manually?

This change may cause problems with the service?

 

Thanks

1,751 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Robert Justice author-rank
Expert Contributor

Created on ‎10-29-2019 11:47 AM - edited ‎10-29-2019 11:55 AM

Hello @luisfeg,

 

The files are only listed in the security scan out if the cgroups feature is in effect (CM -> Hosts -> Configuration -> "Enable Cgroup-based Resource Management"). The default permission of the cgroup_event_control files are indeed world writable without any other permission bit set. However, this has not too much effect in accordance with this document which explains why cgroup files are typically world writable: https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt

 

This seems to be created by the supervisor code cgroups feature, and Red Hat appears to have a subscription article on a similar concern elsewhere on the file system: https://access.redhat.com/solutions/377043.   These files being world writable is an inherent part of Linux cgroups and users being able to use the cgroup API.  Cloudera can only use this cgroup feature if the user configures it explicitly thru Cloudera Manager.  As Red Hat states in the document mentioned above:

 

"Changing the world writable bit is not recommended on these files as it would break notification features of the cgroup API. Changing the permissions would have no effect. Cgroups has it's own pseudo-file-system and manages all the files therein. Each time the cgconfig init script is run, the world writable bit will be set on these files. The cgroup.event_control files are world writeable. This is because they are used in conjunction with the cgroups notification API to allow notifications to be sent about a changing status in the control group."



Robert Justice, Technical Resolution Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Terms of Service

View solution in original post

1,729 Views
1 REPLY 1

avatar
author-rank Robert Justice author-rank
Expert Contributor

Created on ‎10-29-2019 11:47 AM - edited ‎10-29-2019 11:55 AM

Hello @luisfeg,

 

The files are only listed in the security scan out if the cgroups feature is in effect (CM -> Hosts -> Configuration -> "Enable Cgroup-based Resource Management"). The default permission of the cgroup_event_control files are indeed world writable without any other permission bit set. However, this has not too much effect in accordance with this document which explains why cgroup files are typically world writable: https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt

 

This seems to be created by the supervisor code cgroups feature, and Red Hat appears to have a subscription article on a similar concern elsewhere on the file system: https://access.redhat.com/solutions/377043.   These files being world writable is an inherent part of Linux cgroups and users being able to use the cgroup API.  Cloudera can only use this cgroup feature if the user configures it explicitly thru Cloudera Manager.  As Red Hat states in the document mentioned above:

 

"Changing the world writable bit is not recommended on these files as it would break notification features of the cgroup API. Changing the permissions would have no effect. Cgroups has it's own pseudo-file-system and manages all the files therein. Each time the cgconfig init script is run, the world writable bit will be set on these files. The cgroup.event_control files are world writeable. This is because they are used in conjunction with the cgroups notification API to allow notifications to be sent about a changing status in the control group."



Robert Justice, Technical Resolution Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Terms of Service

1,730 Views
webinar banner
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements
meetups banner