| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 13 Oct 2019 07:51:35 +1100
From: Dave Chinner <david@...morbit.com>
To: Wang Shilong <wangshilong1991@...il.com>
Cc: linux-xfs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
Ext4 Developers List <linux-ext4@...r.kernel.org>,
Andreas Dilger <adilger@...ger.ca>, Li Xi <lixi@....com>,
Wang Shilong <wshilong@....com>
Subject: Re: [Project Quota]file owner could change its project ID?
On Sat, Oct 12, 2019 at 02:33:36PM +0800, Wang Shilong wrote:
> Steps to reproduce:
> [wangsl@...alhost tmp]$ mkdir project
> [wangsl@...alhost tmp]$ lsattr -p project -d
> 0 ------------------ project
> [wangsl@...alhost tmp]$ chattr -p 1 project
> [wangsl@...alhost tmp]$ lsattr -p -d project
> 1 ------------------ project
> [wangsl@...alhost tmp]$ chattr -p 2 project
> [wangsl@...alhost tmp]$ lsattr -p -d project
> 2 ------------------ project
> [wangsl@...alhost tmp]$ df -Th .
> Filesystem Type Size Used Avail Use% Mounted on
> /dev/sda3 xfs 36G 4.1G 32G 12% /
> [wangsl@...alhost tmp]$ uname -r
> 5.4.0-rc2+
>
> As above you could see file owner could change project ID of file its self.
Perfectly legal to do this. Working as designed, and intended.
Project quotas have allowed this since they were introduced in the
late 1980s on Irix...
> As my understanding, we could set project ID and inherit attribute to account
> Directory usage, and implement a similar 'Directory Quota' based on this.
Yes, that is a -use- of project quotas, but not the -only- use.
Users have always been allowed to select what project their files
belong to - it's a method of accounting space even when users cannot
access all of the project information.
> But Directories could easily break this limit by change its file to
> other project ID.
Yes. But then users are using the project quotas as traditional
project quotas, which is just fine. There are users out there that
use this mix of behaviours - users have a default directory quota to
limit unbound space usage of home directories, but for files that
belong to a specific project they simply change the project ID and
now the space in their home directory those project files take up is
accounted to the project rather than the user.
> And we used vfs_ioc_fssetxattr_check() to only allow init userspace to
> change project quota:
Right, that's so directory quotas can be enforced for container
use cases, preventing the users inside a container from modifying
the project quota and escaping the space usage limit set for the
container. This means project quotas are unavailable for use
inside user namespaces as they are used for container resource usage
limiting.
> Shall we have something like following to limit admin change for
> Project state too?
As per above, that will break many existing use cases for project
quotas, so I don't think we will be doing that.
Cheers,
Dave.
--
Dave Chinner
david@...morbit.com
Powered by blists - more mailing lists