Re: [RFC] ext2 and ext3 block reservations can be bypassed

[Elladan <elladan@eskimo.com>]

On Sun, May 12, 2002 at 02:15:12PM -0400, Alexander Viro wrote:
> 
> On Sun, 12 May 2002, Elladan wrote:
> > 
> > It just happens that the suid program wasn't the one who chose what file
> > it was going to write stdout to - the shell did.
> > 
> > Thus, the security violation.
> 
> 	<shrug> relying on 5% in security-sensitive setup is *dumb*.
> In that case you need properly set quota (better yet, no lusers with write
> access anywhere on that fs)..
> 
> 	There are worse holes problems 5% rule.  E.g. you can create a
> file with hole, mmap over that hole, dirty the pages and exit.  Guess
> who ends up writing them out?  Right, kswapd.  Which is run as root.
> No suid applications required...

Regardless of whether it's a good thing to depend on security-wise, it
is a problem to have something that appears to be a security feature
which doesn't actually work.

Reading the documentation, I would expect that if I create an ext3
filesystem, reserve 20% of it for root, and then run a cron job as root
that uses 16% of that filesystem periodically, that cron job will not
actually fail whenever some luser decides they want it to.

I don't recall seeing it plastered in huge letters, "This space reserve
is just a convenience feature, and can easily be circumvented by the
user.  You must never rely on it for anything."

Having unsupported security features is typically a bad idea.

-J