HADOOP-19031. Enhance access control for RunJar.

Hexiaoqiao · Hexiaoqiao · commit 85108b836611 · 2024-01-09T20:21:36.000+08:00
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java
@@ -28,10 +28,13 @@
 import java.net.URL;
 import java.net.URLClassLoader;
 import java.nio.file.Files;
+import java.nio.file.attribute.PosixFilePermission;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Enumeration;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 import java.util.jar.JarInputStream;
@@ -303,6 +306,13 @@ public void run(String[] args) throws Throwable {
     }
     ensureDirectory(workDir);
 
+    // Make sure that the workDir is only accessible by the current user.
+    Set<PosixFilePermission> perms = new HashSet<>();
+    perms.add(PosixFilePermission.OWNER_READ);
+    perms.add(PosixFilePermission.OWNER_WRITE);
+    perms.add(PosixFilePermission.OWNER_EXECUTE);
+    Files.setPosixFilePermissions(workDir.toPath(), perms);
+
     ShutdownHookManager.get().addShutdownHook(
         new Runnable() {
           @Override
