From: Davidlohr Bueso <dave@gnu.org>
To: Lennart Poettering <mzxreary@0pointer.de>
Cc: Christoph Hellwig <hch@infradead.org>,
Hugh Dickins <hughd@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
lkml <linux-kernel@vger.kernel.org>,
linux-mm@kvack.org, Kay Sievers <kay.sievers@vrfy.org>
Subject: Re: [RFC PATCH] tmpfs: support user quotas
Date: Mon, 07 Nov 2011 15:20:07 +0100 [thread overview]
Message-ID: <1320675607.2330.0.camel@offworld> (raw)
In-Reply-To: <20111107112952.GB25130@tango.0pointer.de>
On Mon, 2011-11-07 at 12:29 +0100, Lennart Poettering wrote:
> On Mon, 07.11.11 02:31, Christoph Hellwig (hch@infradead.org) wrote:
>
> >
> > On Sun, Nov 06, 2011 at 06:15:01PM -0300, Davidlohr Bueso wrote:
> > > From: Davidlohr Bueso <dave@gnu.org>
> > >
> > > This patch adds a new RLIMIT_TMPFSQUOTA resource limit to restrict an individual user's quota across all mounted tmpfs filesystems.
> > > It's well known that a user can easily fill up commonly used directories (like /tmp, /dev/shm) causing programs to break through DoS.
> >
> > Please jyst implement the normal user/group quota interfaces we use for other
> > filesystem.
>
> Please don't.
>
> tmpfs by its very nature is volatile, which means that we'd have to
> upload the quota data explicitly each time we mount a tmpfs, which means
> we'd have to add quite some userspace infrastructure to make tmpfs work
> with quota. Either every time a tmpfs is mounted we'd have to apply a
> quota for every configured user and every future user to it (which is
> simply not realistic) or on every user logging in we'd have to go
> through all tmpfs mount points and apply a user-specific quota setting
> to it -- which isn't much less ugly and complex. Just using a
> user-specific RLIMIT is much much simpler and beautiful there, and
> requires almost no changes to userspace.
>
> On top of that I think a global quota over all tmpfs is actually
> preferable than a per-tmpfs quota, because what you want to enforce is
> that clients cannot drain the pool that tmpfs is backed from but how
> they distribute their share of that pool on the various tmpfs mounted
> doesn't really matter in order to avoid DoS vulnerabilities.
Right, rlimit approach guarantees a simple way of dealing with users
across all tmpfs instances.
WARNING: multiple messages have this Message-ID (diff)
From: Davidlohr Bueso <dave@gnu.org>
To: Lennart Poettering <mzxreary@0pointer.de>
Cc: Christoph Hellwig <hch@infradead.org>,
Hugh Dickins <hughd@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
lkml <linux-kernel@vger.kernel.org>,
linux-mm@kvack.org, Kay Sievers <kay.sievers@vrfy.org>
Subject: Re: [RFC PATCH] tmpfs: support user quotas
Date: Mon, 07 Nov 2011 15:20:07 +0100 [thread overview]
Message-ID: <1320675607.2330.0.camel@offworld> (raw)
In-Reply-To: <20111107112952.GB25130@tango.0pointer.de>
On Mon, 2011-11-07 at 12:29 +0100, Lennart Poettering wrote:
> On Mon, 07.11.11 02:31, Christoph Hellwig (hch@infradead.org) wrote:
>
> >
> > On Sun, Nov 06, 2011 at 06:15:01PM -0300, Davidlohr Bueso wrote:
> > > From: Davidlohr Bueso <dave@gnu.org>
> > >
> > > This patch adds a new RLIMIT_TMPFSQUOTA resource limit to restrict an individual user's quota across all mounted tmpfs filesystems.
> > > It's well known that a user can easily fill up commonly used directories (like /tmp, /dev/shm) causing programs to break through DoS.
> >
> > Please jyst implement the normal user/group quota interfaces we use for other
> > filesystem.
>
> Please don't.
>
> tmpfs by its very nature is volatile, which means that we'd have to
> upload the quota data explicitly each time we mount a tmpfs, which means
> we'd have to add quite some userspace infrastructure to make tmpfs work
> with quota. Either every time a tmpfs is mounted we'd have to apply a
> quota for every configured user and every future user to it (which is
> simply not realistic) or on every user logging in we'd have to go
> through all tmpfs mount points and apply a user-specific quota setting
> to it -- which isn't much less ugly and complex. Just using a
> user-specific RLIMIT is much much simpler and beautiful there, and
> requires almost no changes to userspace.
>
> On top of that I think a global quota over all tmpfs is actually
> preferable than a per-tmpfs quota, because what you want to enforce is
> that clients cannot drain the pool that tmpfs is backed from but how
> they distribute their share of that pool on the various tmpfs mounted
> doesn't really matter in order to avoid DoS vulnerabilities.
Right, rlimit approach guarantees a simple way of dealing with users
across all tmpfs instances.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2011-11-07 13:17 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-06 21:15 [RFC PATCH] tmpfs: support user quotas Davidlohr Bueso
2011-11-06 21:15 ` Davidlohr Bueso
2011-11-06 22:10 ` Lennart Poettering
2011-11-06 22:10 ` Lennart Poettering
2011-11-07 7:31 ` Christoph Hellwig
2011-11-07 7:31 ` Christoph Hellwig
2011-11-07 11:29 ` Lennart Poettering
2011-11-07 11:29 ` Lennart Poettering
2011-11-07 14:20 ` Davidlohr Bueso [this message]
2011-11-07 14:20 ` Davidlohr Bueso
2011-11-07 13:58 ` Alan Cox
2011-11-07 13:58 ` Alan Cox
2011-11-07 14:27 ` Kay Sievers
2011-11-07 14:27 ` Kay Sievers
2011-11-07 22:53 ` Alan Cox
2011-11-07 22:53 ` Alan Cox
2011-11-07 22:57 ` Glauber Costa
2011-11-07 22:57 ` Glauber Costa
2011-11-07 23:07 ` Lennart Poettering
2011-11-07 23:07 ` Lennart Poettering
2011-11-07 23:43 ` Alan Cox
2011-11-07 23:43 ` Alan Cox
2011-11-08 0:25 ` Lennart Poettering
2011-11-08 0:25 ` Lennart Poettering
2011-11-08 0:46 ` Alan Cox
2011-11-08 0:46 ` Alan Cox
2011-11-07 14:30 ` Lennart Poettering
2011-11-07 14:30 ` Lennart Poettering
2011-11-07 22:15 ` KOSAKI Motohiro
2011-11-07 22:15 ` KOSAKI Motohiro
2011-11-07 22:37 ` Kay Sievers
2011-11-07 22:37 ` Kay Sievers
2011-11-08 0:33 ` KOSAKI Motohiro
2011-11-08 0:33 ` KOSAKI Motohiro
2011-11-07 23:01 ` Alan Cox
2011-11-07 23:01 ` Alan Cox
2011-11-07 9:11 ` Valdis.Kletnieks
2011-11-07 14:49 ` Davidlohr Bueso
2011-11-07 14:49 ` Davidlohr Bueso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1320675607.2330.0.camel@offworld \
--to=dave@gnu.org \
--cc=akpm@linux-foundation.org \
--cc=hch@infradead.org \
--cc=hughd@google.com \
--cc=kay.sievers@vrfy.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mzxreary@0pointer.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.