lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 20 Oct 2019 14:19:19 -0600
From:   Andreas Dilger <>
To:     "Theodore Y. Ts'o" <>
Cc:     "Darrick J. Wong" <>,
        Wang Shilong <>,,,
        Ext4 Developers List <>,
        Li Xi <>, Wang Shilong <>
Subject: Re: [Project Quota]file owner could change its project ID?

On Oct 17, 2019, at 6:12 AM, Theodore Y. Ts'o <> wrote:
> On Wed, Oct 16, 2019 at 06:28:08PM -0600, Andreas Dilger wrote:
>> I don't think that this is really "directory quotas" in the end, since it
>> isn't changing the semantics that the same projid could exist in multiple
>> directory trees.  The real difference is the ability to enforce existing
>> project quota limits for regular users outside of a container.  Basically,
>> it is the same as regular users not being able to change the UID of their
>> files to dump quota to some other user.
>> So rather than rename this "dirquota", it would be better to have a
>> an option like "projid_enforce" or "projid_restrict", or maybe some
>> more flexibility to allow only users in specific groups to change the
>> projid like "projid_admin=<gid>" so that e.g. "staff" or "admin" groups
>> can still change it (in addition to root) but not regular users.  To
>> restrict it to root only, leave "projid_admin=0" and the default (to
>> keep the same "everyone can change projid" behavior) would be -1?
> I'm not sure how common the need for restsrictive quota enforcement is
> really going to be.  Can someone convince me this is actually going to
> be a common use case?

Project quota (i.e. quota tracking that doesn't automatically also convey
permission to access a file or directory) is one of the most requested
features from our users.  This is useful for e.g. university or industry
research groups with multiple grad students/researchers under a single
principal professor/project that controls the funding.

> We could also solve the problem by adding an LSM hook called when
> there is an attempt to set the project ID, and for people who really
> want this, they can create a stackable LSM which enforces whatever
> behavior they want.

So, rather than add a few-line change that decides whether the user
is allowed to change the projid for a file, we would instead add *more*
lines to add a hook, then have to write and load an LSM that is called
each time?  That seems backward to me.

> If we think this going to be an speciality request, this might be the
> better way to go.

I don't see how this is more "speciality" than regular quota enforcement?
Just like we impose limits on users and groups, it makes sense to impose
a limit on a project, instead of just tracking it and then having to add
extra machinery to impose the limit externally.

Cheers, Andreas

Download attachment "signature.asc" of type "application/pgp-signature" (874 bytes)

Powered by blists - more mailing lists