lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7cc876ae264c495e9868717f33a63a77@EXMBDFT10.ad.twosigma.com>
Date:   Fri, 12 Jul 2019 21:47:13 +0000
From:   Geoffrey Thomas <Geoffrey.Thomas@...sigma.com>
To:     'Theodore Ts'o' <tytso@....edu>,
        Thomas Walker <Thomas.Walker@...sigma.com>
CC:     'Jan Kara' <jack@...e.cz>,
        "'linux-ext4@...r.kernel.org'" <linux-ext4@...r.kernel.org>,
        "Darrick J. Wong" <darrick.wong@...cle.com>
Subject: RE: Phantom full ext4 root filesystems on 4.1 through 4.14 kernels

On Friday, July 12, 2019 4:28 PM, Theodore Ts'o <tytso@....edu> wrote:
> To: Thomas Walker <Thomas.Walker@...sigma.com>
> Cc: Geoffrey Thomas <Geoffrey.Thomas@...sigma.com>; 'Jan Kara'
> <jack@...e.cz>; 'linux-ext4@...r.kernel.org' <linux-ext4@...r.kernel.org>;
> Darrick J. Wong <darrick.wong@...cle.com>
> Subject: Re: Phantom full ext4 root filesystems on 4.1 through 4.14
> kernels
> 
> On Fri, Jul 12, 2019 at 03:19:03PM -0400, Thomas Walker wrote:
> > Clearing orphaned inode 1048838 (uid=0, gid=4, mode=0100640,
> size=39006841856)
> 
> > Of particular note, ino 1048838 matches the size of the space that we
> "lost".
> 
> Hmmm... what's gid 4?  Is that a hint of where the inode might have come
> from?

Good call, gid 4 is `adm`. And now that we have an inode number we can see the file's contents, it's from /var/log/account. 

I bet that this is acct(2) holding onto a reference in some weird way (possibly involving logrotate?), which also explains why we couldn't find a userspace process holding onto the inode. We'll investigate a bit....

Thanks,
-- 
Geoffrey Thomas
geofft@...sigma.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ