| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20191016213700.GH13108@magnolia>
Date: Wed, 16 Oct 2019 14:37:00 -0700
From: "Darrick J. Wong" <darrick.wong@...cle.com>
To: Wang Shilong <wangshilong1991@...il.com>
Cc: linux-xfs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
Ext4 Developers List <linux-ext4@...r.kernel.org>,
Andreas Dilger <adilger@...ger.ca>, Li Xi <lixi@....com>,
Wang Shilong <wshilong@....com>
Subject: Re: [Project Quota]file owner could change its project ID?
On Wed, Oct 16, 2019 at 07:51:15PM +0800, Wang Shilong wrote:
> On Mon, Oct 14, 2019 at 12:41 AM Darrick J. Wong
> <darrick.wong@...cle.com> wrote:
> >
> > On Sat, Oct 12, 2019 at 02:33:36PM +0800, Wang Shilong wrote:
> > > Steps to reproduce:
> > > [wangsl@...alhost tmp]$ mkdir project
> > > [wangsl@...alhost tmp]$ lsattr -p project -d
> > > 0 ------------------ project
> > > [wangsl@...alhost tmp]$ chattr -p 1 project
> > > [wangsl@...alhost tmp]$ lsattr -p -d project
> > > 1 ------------------ project
> > > [wangsl@...alhost tmp]$ chattr -p 2 project
> > > [wangsl@...alhost tmp]$ lsattr -p -d project
> > > 2 ------------------ project
> > > [wangsl@...alhost tmp]$ df -Th .
> > > Filesystem Type Size Used Avail Use% Mounted on
> > > /dev/sda3 xfs 36G 4.1G 32G 12% /
> > > [wangsl@...alhost tmp]$ uname -r
> > > 5.4.0-rc2+
> > >
> > > As above you could see file owner could change project ID of file its self.
> > > As my understanding, we could set project ID and inherit attribute to account
> > > Directory usage, and implement a similar 'Directory Quota' based on this.
> >
> > So the problem here is that the admin sets up a project quota on a
> > directory, then non-container users change the project id and thereby
> > break quota enforcement? Dave didn't sound at all enthusiastic, but I'm
> > still wondering what exactly you're trying to prevent.
>
> Yup, we are trying to prevent no-root users to change their project ID.
> As we want to implement 'Directory Quota':
>
> If non-root users could change their project ID, they could always try
> to change its project ID to steal space when EDQUOT returns.
>
> Yup, if mount option could be introduced to make this case work,
> that will be nice.
Well then we had better discuss and write down the exact behaviors of
this new directory quota feature and how it differs from ye olde project
quota. Here's the existing definition of project quotas in the
xfs_quota manpage:
10. XFS supports the notion of project quota, which can be
used to implement a form of directory tree quota (i.e.
to restrict a directory tree to only being able to use
up a component of the filesystems available space; or
simply to keep track of the amount of space used, or
number of inodes, within the tree).
First, we probably ought to add the following to that definition to
reflect a few pieces of current reality:
"Processes running inside runtime environments using mapped user or
group ids, such as container runtimes, are not allowed to change the
project id and project id inheritance flag of inodes."
What do you all think of this starting definition for directory quotas:
11. XFS supports the similar notion of directory quota. The
key difference between project and directory quotas is the
additional restriction that only a system administrator
running outside of a mapped user or group id runtime
environment (such as a container runtime) can change the
project id and project id inheritenace flag. This means
that unprivileged users are never allowed to manage their
own directory quotas.
We'd probably enable this with a new 'dirquota' mount option that is
mutually exclusive with the old 'prjquota' option.
--D
>
>
> >
> > (Which is to say, maybe we introduce a mount option to prevent changing
> > projid if project quota *enforcement* is enabled?)
> >
> > --D
> >
Powered by blists - more mailing lists