From: Elladan <elladan@eskimo.com>
To: Mark Mielke <mark@mark.mielke.cc>
Cc: Elladan <elladan@eskimo.com>,
Christoph Hellwig <hch@infradead.org>,
Linux-Kernel <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] ext2 and ext3 block reservations can be bypassed
Date: Tue, 14 May 2002 10:47:53 -0700 [thread overview]
Message-ID: <20020514104753.A3070@eskimo.com> (raw)
In-Reply-To: <elladan@eskimo.com> <200205131709.g4DH9Fjv006328@pincoya.inf.utfsm.cl> <20020513105250.A30395@eskimo.com> <20020513185723.A2657@infradead.org> <20020514092254.A2581@eskimo.com> <20020514125536.B22935@mark.mielke.cc>
A second method was proposed as well - create a file with a hole in it,
map it, then dirty the pages in the hole and exit. This would not
require suid.
This is basically a documentation issue, unless someone wants to go fix
it. I wouldn't bother myself - it's ext[23] only and not really very
useful.
The basic problem is this: the documentation states "This is intended to
allow for the system to continue functioning even if non-priveleged
users fill up all the space available to them." This states that it's a
security feature. It does not work as intended - all users are
privileged to do this - so the documentation should be updated.
I'll send a patch to someone later today.
-J
On Tue, May 14, 2002 at 12:55:36PM -0400, Mark Mielke wrote:
> Notice how the space can only be filled up if a setuid program is used
> to actually fill it up. Even if it is a partial 'security feature', every
> administrator knows that setuid violates security in a non-natural way.
>
> 1) Provide a patch and see if it is accepted.
>
> 2) Convince somebody else that they should put time into features of
> questionable value such as this one.
>
> mark
>
>
>
> On Tue, May 14, 2002 at 09:22:54AM -0700, Elladan wrote:
> > I went to google and attempted to find information about the root
> > reserve space for ext2, as a user wondering about the feature would. I
> > couldn't find any documentation that states it's purely a fragmentation
> > and convenience feature. I did, however, find documents stating
> > otherwise. Note how even Documentation/filesystems/ext2.txt states that
> > it's a security feature?
> >
> > If this is not a security feature, Documentation/filesystems/ext2.txt
> > needs to be changed. Eg.,
> >
> > "In ext2, there is a mechanism for reserving a certain number of blocks
> > for a particular user (normally the super-user). This is intended to
> > keep the filesystem from filling up entirely, which helps combat
> > fragmentation. The super-user may still use this space. Note that this
> > is not a security feature, and is only provided for convenience -
> > various methods exist where a user may circumvent this reservation and
> > use the space if they so wish. Quotas or separate filesystems should be
> > used if reliable space limits are needed."
> >
> >
> >
> > 1. http://web.mit.edu/tytso/www/linux/ext2intro.html
> >
> > Design and Implementation of the Second Extended Filesystem
> >
> > [....] Ext2fs reserves some blocks for the super user (root). Normally,
> > 5% of the blocks are reserved. This allows the administrator to recover
> > easily from situations where user processes fill up filesystems.
> >
> >
> > 2. Documentation/filesystems/ext2.txt
> >
> > Reserved Space
> > --------------
> >
> > In ext2, there is a mechanism for reserving a certain number of blocks
> > for a particular user (normally the super-user). This is intended to
> > allow for the system to continue functioning even if non-priveleged
> > users fill up all the space available to them (this is independent of
> > filesystem quotas). It also keeps the filesystem from filling up
> > entirely which helps combat fragmentation.
> >
> >
> > 3. Note what mke2fs prints:
> >
> > 3275 blocks (5.00%) reserved for the super user
> >
> > It does not say "reserved to combat fragmentation"
> >
> >
> > -J
> >
> >
> > On Mon, May 13, 2002 at 06:57:23PM +0100, Christoph Hellwig wrote:
> > > On Mon, May 13, 2002 at 10:52:50AM -0700, Elladan wrote:
> > > > > It is _not_ a security feature, it is meant to keep the filesystem from
> > > > > fragmenting too badly. root can use that space, since root can do whatever
> > > > > she wants anyway.
> > > >
> > > > But it *appears* to be a security feature. Thus, someone might
> > > > incorrectly depend on it, unless it's clearly documented as otherwise.
> > >
> > > So what. People rely on chroot() as security feature all the time and
> > > we don't "fix" it either. If you need security nothing but gaining
> > > knowledge about all details helps.
> > >
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > > Please read the FAQ at http://www.tux.org/lkml/
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at http://www.tux.org/lkml/
>
> --
> mark@mielke.cc/markm@ncf.ca/markm@nortelnetworks.com __________________________
> . . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
> |\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
> | | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada
>
> One ring to rule them all, one ring to find them, one ring to bring them all
> and in the darkness bind them...
>
> http://mark.mielke.cc/
next prev parent reply other threads:[~2002-05-14 17:48 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-05-12 16:23 [RFC] ext2 and ext3 block reservations can be bypassed Kasper Dupont
2002-05-12 16:42 ` Jakob Østergaard
2002-05-12 17:34 ` Elladan
2002-05-12 18:15 ` Alexander Viro
2002-05-12 18:37 ` Elladan
2002-05-12 19:02 ` Jakob Østergaard
2002-05-12 19:04 ` Mark Mielke
2002-05-13 17:09 ` Horst von Brand
2002-05-13 17:52 ` Elladan
2002-05-13 17:57 ` Christoph Hellwig
2002-05-14 16:22 ` Elladan
2002-05-14 16:55 ` Mark Mielke
2002-05-14 17:47 ` Elladan [this message]
2002-05-14 18:51 ` Kasper Dupont
2002-05-15 19:48 ` Pavel Machek
2002-05-15 20:29 ` Alan Cox
2002-05-14 15:40 ` Kasper Dupont
2002-05-14 15:56 ` Mark Mielke
2002-05-14 18:25 ` Kasper Dupont
[not found] <791836807@toto.iv>
2002-05-12 22:04 ` Peter Chubb
2002-05-12 22:53 ` Alexander Viro
2002-05-13 4:22 ` Kasper Dupont
2002-05-13 4:51 ` Elladan
-- strict thread matches above, loose matches on Subject: below --
2002-05-14 17:53 Jesse Pollard
2002-05-14 18:23 ` Mark Mielke
2002-05-14 19:11 ` Alexander Viro
2002-05-14 18:00 Jesse Pollard
2002-05-14 18:07 Jesse Pollard
2002-05-14 18:54 Jesse Pollard
2002-05-14 19:04 ` Alexander Viro
2002-05-14 19:55 ` Mark Mielke
2002-05-14 19:29 Jesse Pollard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020514104753.A3070@eskimo.com \
--to=elladan@eskimo.com \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark@mark.mielke.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.