lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <648712FB-0ECE-41F4-B6B8-98BD3168B2A4@dilger.ca>
Date:   Wed, 16 Oct 2019 18:28:08 -0600
From:   Andreas Dilger <adilger@...ger.ca>
To:     "Darrick J. Wong" <darrick.wong@...cle.com>
Cc:     Wang Shilong <wangshilong1991@...il.com>,
        linux-xfs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        Ext4 Developers List <linux-ext4@...r.kernel.org>,
        Li Xi <lixi@....com>, Wang Shilong <wshilong@....com>
Subject: Re: [Project Quota]file owner could change its project ID?

On Oct 16, 2019, at 3:37 PM, Darrick J. Wong <darrick.wong@...cle.com> wrote:
> 
> On Wed, Oct 16, 2019 at 07:51:15PM +0800, Wang Shilong wrote:
>> On Mon, Oct 14, 2019 at 12:41 AM Darrick J. Wong
>> <darrick.wong@...cle.com> wrote:
>>> 
>>> On Sat, Oct 12, 2019 at 02:33:36PM +0800, Wang Shilong wrote:
>>>> Steps to reproduce:
>>>> [wangsl@...alhost tmp]$ mkdir project
>>>> [wangsl@...alhost tmp]$ lsattr -p project -d
>>>>    0 ------------------ project
>>>> [wangsl@...alhost tmp]$ chattr -p 1 project
>>>> [wangsl@...alhost tmp]$ lsattr -p -d project
>>>>    1 ------------------ project
>>>> [wangsl@...alhost tmp]$ chattr -p 2 project
>>>> [wangsl@...alhost tmp]$ lsattr -p -d project
>>>>    2 ------------------ project
>>>> [wangsl@...alhost tmp]$ df -Th .
>>>> Filesystem     Type  Size  Used Avail Use% Mounted on
>>>> /dev/sda3      xfs    36G  4.1G   32G  12% /
>>>> [wangsl@...alhost tmp]$ uname -r
>>>> 5.4.0-rc2+
>>>> 
>>>> As above you could see file owner could change project ID of file its self.
>>>> As my understanding, we could set project ID and inherit attribute to account
>>>> Directory usage, and implement a similar 'Directory Quota' based on this.
>>> 
>>> So the problem here is that the admin sets up a project quota on a
>>> directory, then non-container users change the project id and thereby
>>> break quota enforcement?  Dave didn't sound at all enthusiastic, but I'm
>>> still wondering what exactly you're trying to prevent.
>> 
>> Yup, we are trying to prevent no-root users to change their project ID.
>> As we want to implement 'Directory Quota':
>> 
>> If non-root users could change their project ID, they could always try
>> to change its project ID to steal space when EDQUOT returns.
>> 
>> Yup, if mount option could be introduced to make this case work,
>> that will be nice.
> 
> Well then we had better discuss and write down the exact behaviors of
> this new directory quota feature and how it differs from ye olde project
> quota.  Here's the existing definition of project quotas in the
> xfs_quota manpage:
> 
>       10.    XFS  supports  the notion of project quota, which can be
>              used to implement a form of directory tree  quota  (i.e.
>              to  restrict  a directory tree to only being able to use
>              up a component of the filesystems  available  space;  or
>              simply  to  keep  track  of the amount of space used, or
>              number of inodes, within the tree).
> 
> First, we probably ought to add the following to that definition to
> reflect a few pieces of current reality:
> 
> "Processes running inside runtime environments using mapped user or
> group ids, such as container runtimes, are not allowed to change the
> project id and project id inheritance flag of inodes."
> 
> What do you all think of this starting definition for directory quotas:
> 
>       11.    XFS supports the similar notion of directory quota.  The
> 	      key difference between project and directory quotas is the
> 	      additional restriction that only a system administrator
> 	      running outside of a mapped user or group id runtime
> 	      environment (such as a container runtime) can change the
> 	      project id and project id inheritenace flag.  This means
> 	      that unprivileged users are never allowed to manage their
>              own directory quotas.
> 
> We'd probably enable this with a new 'dirquota' mount option that is
> mutually exclusive with the old 'prjquota' option.

I don't think that this is really "directory quotas" in the end, since it
isn't changing the semantics that the same projid could exist in multiple
directory trees.  The real difference is the ability to enforce existing
project quota limits for regular users outside of a container.  Basically,
it is the same as regular users not being able to change the UID of their
files to dump quota to some other user.

So rather than rename this "dirquota", it would be better to have a
an option like "projid_enforce" or "projid_restrict", or maybe some
more flexibility to allow only users in specific groups to change the
projid like "projid_admin=<gid>" so that e.g. "staff" or "admin" groups
can still change it (in addition to root) but not regular users.  To
restrict it to root only, leave "projid_admin=0" and the default (to
keep the same "everyone can change projid" behavior) would be -1?

Cheers, Andreas

>>> (Which is to say, maybe we introduce a mount option to prevent changing
>>> projid if project quota *enforcement* is enabled?)
>>> 
>>> --D


Cheers, Andreas






Download attachment "signature.asc" of type "application/pgp-signature" (874 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ