From: Elladan <elladan@eskimo.com>
To: Mark Mielke <mark@mark.mielke.cc>
Cc: Elladan <elladan@eskimo.com>,
Christoph Hellwig <hch@infradead.org>,
Linux-Kernel <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] ext2 and ext3 block reservations can be bypassed
Date: Tue, 14 May 2002 10:47:53 -0700 [thread overview]
Message-ID: <20020514104753.A3070@eskimo.com> (raw)
In-Reply-To: <elladan@eskimo.com> <200205131709.g4DH9Fjv006328@pincoya.inf.utfsm.cl> <20020513105250.A30395@eskimo.com> <20020513185723.A2657@infradead.org> <20020514092254.A2581@eskimo.com> <20020514125536.B22935@mark.mielke.cc>
A second method was proposed as well - create a file with a hole in it,
map it, then dirty the pages in the hole and exit. This would not
require suid.
This is basically a documentation issue, unless someone wants to go fix
it. I wouldn't bother myself - it's ext[23] only and not really very
useful.
The basic problem is this: the documentation states "This is intended to
allow for the system to continue functioning even if non-priveleged
users fill up all the space available to them." This states that it's a
security feature. It does not work as intended - all users are
privileged to do this - so the documentation should be updated.
I'll send a patch to someone later today.
-J
On Tue, May 14, 2002 at 12:55:36PM -0400, Mark Mielke wrote:
> Notice how the space can only be filled up if a setuid program is used
> to actually fill it up. Even if it is a partial 'security feature', every
> administrator knows that setuid violates security in a non-natural way.
>
> 1) Provide a patch and see if it is accepted.
>
> 2) Convince somebody else that they should put time into features of
> questionable value such as this one.
>
> mark
>
>
>
> On Tue, May 14, 2002 at 09:22:54AM -0700, Elladan wrote:
> > I went to google and attempted to find information about the root
> > reserve space for ext2, as a user wondering about the feature would. I
> > couldn't find any documentation that states it's purely a fragmentation
> > and convenience feature. I did, however, find documents stating
> > otherwise. Note how even Documentation/filesystems/ext2.txt states that
> > it's a security feature?
> >
> > If this is not a security feature, Documentation/filesystems/ext2.txt
> > needs to be changed. Eg.,
> >
> > "In ext2, there is a mechanism for reserving a certain number of blocks
> > for a particular user (normally the super-user). This is intended to
> > keep the filesystem from filling up entirely, which helps combat
> > fragmentation. The super-user may still use this space. Note that this
> > is not a security feature, and is only provided for convenience -
> > various methods exist where a user may circumvent this reservation and
> > use the space if they so wish. Quotas or separate filesystems should be
> > used if reliable space limits are needed."
> >
> >
> >
> > 1. http://web.mit.edu/tytso/www/linux/ext2intro.html
> >
> > Design and Implementation of the Second Extended Filesystem
> >
> > [....] Ext2fs reserves some blocks for the super user (root). Normally,
> > 5% of the blocks are reserved. This allows the administrator to recover
> > easily from situations where user processes fill up filesystems.
> >
> >
> > 2. Documentation/filesystems/ext2.txt
> >
> > Reserved Space
> > --------------
> >
> > In ext2, there is a mechanism for reserving a certain number of blocks
> > for a particular user (normally the super-user). This is intended to
> > allow for the system to continue functioning even if non-priveleged
> > users fill up all the space available to them (this is independent of
> > filesystem quotas). It also keeps the filesystem from filling up
> > entirely which helps combat fragmentation.
> >
> >
> > 3. Note what mke2fs prints:
> >
> > 3275 blocks (5.00%) reserved for the super user
> >
> > It does not say "reserved to combat fragmentation"
> >
> >
> > -J
> >
> >
> > On Mon, May 13, 2002 at 06:57:23PM +0100, Christoph Hellwig wrote:
> > > On Mon, May 13, 2002 at 10:52:50AM -0700, Elladan wrote:
> > > > > It is _not_ a security feature, it is meant to keep the filesystem from
> > > > > fragmenting too badly. root can use that space, since root can do whatever
> > > > > she wants anyway.
> > > >
> > > > But it *appears* to be a security feature. Thus, someone might
> > > > incorrectly depend on it, unless it's clearly documented as otherwise.
> > >
> > > So what. People rely on chroot() as security feature all the time and
> > > we don't "fix" it either. If you need security nothing but gaining
> > > knowledge about all details helps.
> > >
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > > Please read the FAQ at http://www.tux.org/lkml/
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at http://www.tux.org/lkml/
>
> --
> mark@mielke.cc/markm@ncf.ca/markm@nortelnetworks.com __________________________
> . . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
> |\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
> | | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada
>
> One ring to rule them all, one ring to find them, one ring to bring them all
> and in the darkness bind them...
>
> http://mark.mielke.cc/
next prev parent reply other threads:[~2002-05-14 17:48 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-05-12 16:23 [RFC] ext2 and ext3 block reservations can be bypassed Kasper Dupont
2002-05-12 16:42 ` Jakob Østergaard
2002-05-12 17:34 ` Elladan
2002-05-12 18:15 ` Alexander Viro
2002-05-12 18:37 ` Elladan
2002-05-12 19:02 ` Jakob Østergaard
2002-05-12 19:04 ` Mark Mielke
2002-05-13 17:09 ` Horst von Brand
2002-05-13 17:52 ` Elladan
2002-05-13 17:57 ` Christoph Hellwig
2002-05-14 16:22 ` Elladan
2002-05-14 16:55 ` Mark Mielke
2002-05-14 17:47 ` Elladan [this message]
2002-05-14 18:51 ` Kasper Dupont
2002-05-15 19:48 ` Pavel Machek
2002-05-15 20:29 ` Alan Cox
2002-05-14 15:40 ` Kasper Dupont
2002-05-14 15:56 ` Mark Mielke
2002-05-14 18:25 ` Kasper Dupont
[not found] <791836807@toto.iv>
2002-05-12 22:04 ` Peter Chubb
2002-05-12 22:53 ` Alexander Viro
2002-05-13 4:22 ` Kasper Dupont
2002-05-13 4:51 ` Elladan
-- strict thread matches above, loose matches on Subject: below --
2002-05-14 17:53 Jesse Pollard
2002-05-14 18:23 ` Mark Mielke
2002-05-14 19:11 ` Alexander Viro
2002-05-14 18:00 Jesse Pollard
2002-05-14 18:07 Jesse Pollard
2002-05-14 18:54 Jesse Pollard
2002-05-14 19:04 ` Alexander Viro
2002-05-14 19:55 ` Mark Mielke
2002-05-14 19:29 Jesse Pollard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020514104753.A3070@eskimo.com \
--to=elladan@eskimo.com \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark@mark.mielke.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox