From: bugzilla-daemon@bugzilla.kernel.org
To: linux-ext4@vger.kernel.org
Subject: [Bug 214665] New: security bug:using "truncate" bypass disk quotas limit
Date: Sat, 09 Oct 2021 10:23:45 +0000 [thread overview]
Message-ID: <bug-214665-13602@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=214665
Bug ID: 214665
Summary: security bug:using "truncate" bypass disk quotas limit
Product: File System
Version: 2.5
Kernel Version: 3.10.0-1160.36.2.el7.x86_64
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: ext4
Assignee: fs_ext4@kernel-bugs.osdl.org
Reporter: 1157599735@qq.com
Regression: No
* Overview
system user can bypass "disk quota limit" using "truncate -s 10T id" command
(that can create a file whose size is 10T).
* Steps to Reproduce
1. create a user and setup a disk quota for this user
create user "test"
```
useradd test
```
create filesystem
```
[root@vm10-50-0-18 ~]# dd if=/dev/zero of=ext4 bs=1G count=1
[root@vm10-50-0-18 ~]# mkfs.ext4 ext4
[root@vm10-50-0-18 ~]# mkdir -p /tmp/test && chmod -R 777 /tmp/test &&
mount -o usrquota,grpquota ext4 /tmp/test
```
setup disk quota
```
[root@vm10-50-0-18 ~]# quotacheck -u /tmp/test/ # create
"aquota.user" file
[root@vm10-50-0-18 ~]# edquota -u test
[root@vm10-50-0-18 ~]# quotaon /tmp/test/ -u # open quota service
```
the quota setting is like below: user "test" can not use disk space which
size exceed 10K.
```
Disk quotas for user test (uid 1000):
Filesystem blocks soft hard inodes
soft hard
/dev/loop0 0 10 10 0
0 0
```
2. verify the quota limit using "dd"
```
[root@vm10-50-0-18 ~]# su - test
上一次登录:六 10月 9 18:14:31 CST 2021pts/1 上
[test@vm10-50-0-18 ~]$ dd if=/dev/zero of=/tmp/test/id bs=20K count=1
loop0: write failed, user block limit reached. # yes,this limit
is as expected
dd: error writing ‘/tmp/test/id’: Disk quota exceeded
1+0 records in
0+0 records out
8192 bytes (8.2 kB) copied, 0.000221445 s, 37.0 MB/s
```
this result is as expected: "test" user can not write file whose size is
more than 10K.
3. verify the quota limit using "truncate"
```
[test@vm10-50-0-18 test]$ truncate -s 10T id
[test@vm10-50-0-18 test]$ ll -h id
-rw-rw-r-- 1 test test 10T Oct 9 17:16 id
```
actual results is: "test" user can create file whose size is 10T, larger
more than 10K
expected result is: like "dd result" above, "test" user can not write file
whose size is more than 10K.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
next reply other threads:[~2021-10-09 10:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-09 10:23 bugzilla-daemon [this message]
2021-10-10 0:20 ` [Bug 214665] security bug:using "truncate" bypass disk quotas limit bugzilla-daemon
2021-10-11 6:24 ` bugzilla-daemon
2021-10-11 14:24 ` bugzilla-daemon
2021-10-11 14:43 ` bugzilla-daemon
2021-10-11 14:47 ` bugzilla-daemon
2021-10-11 17:05 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-214665-13602@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-ext4@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.