| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 Jul 2011 23:51:43 +0100 From: Pádraig Brady <P@...igBrady.com> To: Matthias Schniedermeyer <ms@...d.de> CC: Pavel Machek <pavel@....cz>, Luke Kenneth Casson Leighton <lkcl@...l.net>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Coreutils <coreutils@....org> Subject: Re: ext3 hacked filesystem (by debian exim4 exploit) available for analysis and bugreporting On 07/29/2011 10:31 PM, Matthias Schniedermeyer wrote: > On 29.07.2011 21:59, Pavel Machek wrote: >> On Mon 2011-07-25 22:08:24, Luke Kenneth Casson Leighton wrote: >>> On Mon, Jul 25, 2011 at 2:45 PM, Matthias Schniedermeyer <ms@...d.de> wrote: >>>> On 25.07.2011 13:08, Luke Kenneth Casson Leighton wrote: >>>>> folks, hi, >>>>> >>>>> apart from anything, files which cannot be deleted (and cannot be >>>>> detected as "corrupted" by fsck.ext3) is pretty damn serious. >>>> >>>> You did try lsattr and checked that the files aren't 'immutable'? >>> >>> i didn't! :) didn't know about (but should have guessed) ext3 >>> attributes. they are indeed - thank you matthias. >>> >>> root@...etbaby:/mnt/horsebox/tmp3# lsattr * >>> ----ia------------- bin3/kill >>> ----ia------------- bin3/ps >>> ----ia------------- c.pl >>> ----ia------------- e.conf >>> ----ia------------- sbin3/sysctl >>> ----ia------------- usrbin3/uptime >>> ----ia------------- usrbin3/tload >>> ----ia------------- usrbin3/free >>> ----ia------------- usrbin3/top >>> ----ia------------- usrbin3/vmstat >>> ----ia------------- usrbin3/watch >>> ----ia------------- usrbin3/skill >>> ----ia------------- usrbin3/pmap >>> ----ia------------- usrbin3/pgrep >>> ----ia------------- usrbin3/slabtop >>> ----ia------------- usrbin3/pwdx >>> ----ia------------- usrbin3/snice >>> ----ia------------- usrbin3/pkill >>> ----ia------------- usrbin3/w >>> >>> so - looks like it's not as bad as i thought. >> >> Should ls -l be moddified to show something when file has immutable >> (and friends) set? > > AFAICT lsattr, in e2fsprogs, only does a 'stat'(lib/e2p/fgetflags.c) and > checks st_flags, which i can't see in the "man 2 stat"-man-page i have > installed, but nonetheless that is what it appears to do. > > So assuming there are no incompatibilites between filesystems, the > information appears to come "free" with the stat(s) that ls has to do > anyway. (In the sense that there doesn't appear to any excessive > overhead involved, especially no additional I/O). > > So i would say: definitly. `strace lsattr ...` shows it calls ioctl (...FS_IOC_GETFLAGS...) So there would be overhead. The output of ls is fairly constrained too for compat reasons. However these flags are not specific to ext2 so it would fit quite well from that perspective. It might be something we could add to the stat command at least? cheers, Pádraig. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists