Problem Note 64030: SASHDAT files saved to Hadoop Distributed File System (HDFS) grant Read and Write access to all users if you do not specify custom permissions
Severity: High
Description: When using the SAS® 9.4 SASHDAT engine or SAS® Viya® Cloud Analytic Services (CAS) actions to save files to HDFS in SASHDAT format, you encounter a security vulnerability. In this scenario, permissions on saved SASHDAT files incorrectly default to 666 (Read and Write access for all) when you do not specify a permission setting. Instead, the behavior when you do not specify permissions should be that the default HDFS umask is applied to the file. The default HDFS unmask is generally derived from hdfs-site.xml settings such as dfs.umaskmode or fs.permissions.umask-mode.
Potential Impact: SASHDAT files can be read, modified, or deleted by any user with access to the HDFS directory that contains these files.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
SAS System | SAS LASR Analytic Server | Linux for x64 | 2.82 | | 9.4 TS1M6 | |
SAS System | SAS Viya | Linux for x64 | 3.4 | | | |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Type: | Problem Note |
Priority: | alert |
Date Modified: | 2019-04-16 07:44:51 |
Date Created: | 2019-04-12 11:17:54 |