| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTimQBg-ik=EAN6=tiee2308eQ33jpqu7SnTd08bK@mail.gmail.com> Date: Tue, 28 Dec 2010 23:28:31 +0100 From: Olaf van der Spek <olafvdspek@...il.com> To: Greg Freemyer <greg.freemyer@...il.com> Cc: Neil Brown <neilb@...e.de>, Christian Stroetmann <stroetmann@...olinux.com>, linux-fsdevel <linux-fsdevel@...r.kernel.org>, linux-ext4@...r.kernel.org, "Ted Ts'o" <tytso@....edu>, Nick Piggin <npiggin@...il.com> Subject: Re: Atomic non-durable file write API On Tue, Dec 28, 2010 at 11:15 PM, Greg Freemyer <greg.freemyer@...il.com> wrote: > So ACLs are lost? I'm not sure. Since preserving them might not be easy I think it's likely they're lost in some cases. > That seems like a potentially bigger issue than loosing the owner/group info. > > And I assume if the owner changes, then the new owner has privileges > to modify ACLs he didn't have previously. > > So if I want to instigate a simple denial of service in a multi-user > environment, I edit a few key docs that I have privileges to edit. By > doing so I take ownership. As owner I change the permissions and > ACLs so that no one but me can access them. > > Seems like a security hole to me. If you have write access you can clear the data as well, so effectively the difference is small. Olaf -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists