| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 12 Oct 2019 14:33:36 +0800
From: Wang Shilong <wangshilong1991@...il.com>
To: linux-xfs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
Ext4 Developers List <linux-ext4@...r.kernel.org>,
Andreas Dilger <adilger@...ger.ca>, Li Xi <lixi@....com>,
Wang Shilong <wshilong@....com>
Subject: [Project Quota]file owner could change its project ID?
Steps to reproduce:
[wangsl@...alhost tmp]$ mkdir project
[wangsl@...alhost tmp]$ lsattr -p project -d
0 ------------------ project
[wangsl@...alhost tmp]$ chattr -p 1 project
[wangsl@...alhost tmp]$ lsattr -p -d project
1 ------------------ project
[wangsl@...alhost tmp]$ chattr -p 2 project
[wangsl@...alhost tmp]$ lsattr -p -d project
2 ------------------ project
[wangsl@...alhost tmp]$ df -Th .
Filesystem Type Size Used Avail Use% Mounted on
/dev/sda3 xfs 36G 4.1G 32G 12% /
[wangsl@...alhost tmp]$ uname -r
5.4.0-rc2+
As above you could see file owner could change project ID of file its self.
As my understanding, we could set project ID and inherit attribute to account
Directory usage, and implement a similar 'Directory Quota' based on this.
But Directories could easily break this limit by change its file to
other project ID.
And we used vfs_ioc_fssetxattr_check() to only allow init userspace to
change project quota:
/*
* Project Quota ID state is only allowed to change from within the init
* namespace. Enforce that restriction only if we are trying to change
* the quota ID state. Everything else is allowed in user namespaces.
*/
if (current_user_ns() != &init_user_ns) {
if (old_fa->fsx_projid != fa->fsx_projid)
return -EINVAL;
if ((old_fa->fsx_xflags ^ fa->fsx_xflags) &
FS_XFLAG_PROJINHERIT)
return -EINVAL;
}
Shall we have something like following to limit admin change for
Project state too?
diff --git a/fs/inode.c b/fs/inode.c
index fef457a42882..3e324931ee84 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -2273,7 +2273,7 @@ int vfs_ioc_fssetxattr_check(struct inode
*inode, const struct fsxattr *old_fa,
* namespace. Enforce that restriction only if we are trying to change
* the quota ID state. Everything else is allowed in user namespaces.
*/
- if (current_user_ns() != &init_user_ns) {
+ if (current_user_ns() != &init_user_ns || !capable(CAP_SYS_ADMIN)){
if (old_fa->fsx_projid != fa->fsx_projid)
return -EINVAL;
if ((old_fa->fsx_xflags ^ fa->fsx_xflags) &
Powered by blists - more mailing lists