Re: [RFC] ext2 and ext3 block reservations can be bypassed

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Elladan <elladan@eskimo.com>
To: Jakob ?stergaard <jakob@unthought.net>,
	Kasper Dupont <kasperd@daimi.au.dk>,
	Linux-Kernel <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] ext2 and ext3 block reservations can be bypassed
Date: Sun, 12 May 2002 10:34:32 -0700	[thread overview]
Message-ID: <20020512103432.A24018@eskimo.com> (raw)
In-Reply-To: <3CDE96F9.8443C446@daimi.au.dk> <20020512184204.A17334@unthought.net>

His test was different.

He opened a file in a legal situation (shell can create a new file), and
then forked off a suid process over and over with the stdout of that
process set to a dup of the shell's already open fd.

It's perfectly legal for the shell to sit around with a file open and
pass it off to a child, even if the disk is full.

It's also perfectly legal for root to write to the fd, even if the disk
is full (for normal users).  

It just happens that the suid program wasn't the one who chose what file
it was going to write stdout to - the shell did.

Thus, the security violation.


mount > /etc/passwd doesn't work, because the shell can't open
/etc/passwd for writing.

-J


On Sun, May 12, 2002 at 06:42:04PM +0200, Jakob ?stergaard wrote:
> On Sun, May 12, 2002 at 06:23:21PM +0200, Kasper Dupont wrote:
> > Usually the last 5% of the diskspace on ext2 and ext3
> > filesystems are reserved for root. But I just realized
> > that they can be bypassed by redirecting the output
> > from a suid root program to a file.
> > 
> > This command will keep writing beyond the 95% limit:
> > while true ; do mount ; done >filename
> 
> Hej Kasper,
> 
> Sure you were not running the shell as root ?  :)
> 
> The redirection is handled by your shell, mount doesn't have anything to do
> with the '>filename' part.
> 
> Actually, the more fun test is to
>   mount > /etc/passwd
> or
>   mount > /dev/hda
> 
> But this won't work either, unless your shell (and therefore you as a user,
> suid programs or not) have the permissions as required.
> 
> In short: I don't think you are seeing what you think you are seeing  ;)
> 
> -- 
> ................................................................
> :   jakob@unthought.net   : And I see the elder races,         :
> :.........................: putrid forms of man                :
> :   Jakob ?stergaard      : See him rise and claim the earth,  :
> :        OZ9ABN           : his downfall is at hand.           :
> :.........................:............{Konkhra}...............:
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

next prev parent reply	other threads:[~2002-05-12 17:35 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-05-12 16:23 [RFC] ext2 and ext3 block reservations can be bypassed Kasper Dupont
2002-05-12 16:42 ` Jakob Østergaard
2002-05-12 17:34   ` Elladan [this message]
2002-05-12 18:15     ` Alexander Viro
2002-05-12 18:37       ` Elladan
2002-05-12 19:02         ` Jakob Østergaard
2002-05-12 19:04           ` Mark Mielke
2002-05-13 17:09         ` Horst von Brand
2002-05-13 17:52           ` Elladan
2002-05-13 17:57             ` Christoph Hellwig
2002-05-14 16:22               ` Elladan
2002-05-14 16:55                 ` Mark Mielke
2002-05-14 17:47                   ` Elladan
2002-05-14 18:51                     ` Kasper Dupont
2002-05-15 19:48                 ` Pavel Machek
2002-05-15 20:29                   ` Alan Cox
2002-05-14 15:40           ` Kasper Dupont
2002-05-14 15:56             ` Mark Mielke
2002-05-14 18:25               ` Kasper Dupont
     [not found] <791836807@toto.iv>
2002-05-12 22:04 ` Peter Chubb
2002-05-12 22:53   ` Alexander Viro
2002-05-13  4:22     ` Kasper Dupont
2002-05-13  4:51       ` Elladan
  -- strict thread matches above, loose matches on Subject: below --
2002-05-14 17:53 Jesse Pollard
2002-05-14 18:23 ` Mark Mielke
2002-05-14 19:11 ` Alexander Viro
2002-05-14 18:00 Jesse Pollard
2002-05-14 18:07 Jesse Pollard
2002-05-14 18:54 Jesse Pollard
2002-05-14 19:04 ` Alexander Viro
2002-05-14 19:55 ` Mark Mielke
2002-05-14 19:29 Jesse Pollard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20020512103432.A24018@eskimo.com \
    --to=elladan@eskimo.com \
    --cc=jakob@unthought.net \
    --cc=kasperd@daimi.au.dk \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox