lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 13 Oct 2019 09:41:24 -0700
From:   "Darrick J. Wong" <darrick.wong@...cle.com>
To:     Wang Shilong <wangshilong1991@...il.com>
Cc:     linux-xfs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        Ext4 Developers List <linux-ext4@...r.kernel.org>,
        Andreas Dilger <adilger@...ger.ca>, Li Xi <lixi@....com>,
        Wang Shilong <wshilong@....com>
Subject: Re: [Project Quota]file owner could change its project ID?

On Sat, Oct 12, 2019 at 02:33:36PM +0800, Wang Shilong wrote:
> Steps to reproduce:
> [wangsl@...alhost tmp]$ mkdir project
> [wangsl@...alhost tmp]$ lsattr -p project -d
>     0 ------------------ project
> [wangsl@...alhost tmp]$ chattr -p 1 project
> [wangsl@...alhost tmp]$ lsattr -p -d project
>     1 ------------------ project
> [wangsl@...alhost tmp]$ chattr -p 2 project
> [wangsl@...alhost tmp]$ lsattr -p -d project
>     2 ------------------ project
> [wangsl@...alhost tmp]$ df -Th .
> Filesystem     Type  Size  Used Avail Use% Mounted on
> /dev/sda3      xfs    36G  4.1G   32G  12% /
> [wangsl@...alhost tmp]$ uname -r
> 5.4.0-rc2+
> 
> As above you could see file owner could change project ID of file its self.
> As my understanding, we could set project ID and inherit attribute to account
> Directory usage, and implement a similar 'Directory Quota' based on this.

So the problem here is that the admin sets up a project quota on a
directory, then non-container users change the project id and thereby
break quota enforcement?  Dave didn't sound at all enthusiastic, but I'm
still wondering what exactly you're trying to prevent.

(Which is to say, maybe we introduce a mount option to prevent changing
projid if project quota *enforcement* is enabled?)

--D

> But Directories could easily break this limit by change its file to
> other project ID.
> 
> And we used vfs_ioc_fssetxattr_check() to only allow init userspace to
> change project quota:
> 
>         /*
> 
>          * Project Quota ID state is only allowed to change from within the init
> 
>          * namespace. Enforce that restriction only if we are trying to change
> 
>          * the quota ID state. Everything else is allowed in user namespaces.
> 
>          */
> 
>         if (current_user_ns() != &init_user_ns) {
> 
>                 if (old_fa->fsx_projid != fa->fsx_projid)
> 
>                         return -EINVAL;
> 
>                 if ((old_fa->fsx_xflags ^ fa->fsx_xflags) &
> 
>                                 FS_XFLAG_PROJINHERIT)
> 
>                         return -EINVAL;
> 
>         }
> 
> Shall we have something like following to limit admin change for
> Project state too?
> 
> diff --git a/fs/inode.c b/fs/inode.c
> 
> index fef457a42882..3e324931ee84 100644
> 
> --- a/fs/inode.c
> 
> +++ b/fs/inode.c
> 
> @@ -2273,7 +2273,7 @@ int vfs_ioc_fssetxattr_check(struct inode
> *inode, const struct fsxattr *old_fa,
> 
>          * namespace. Enforce that restriction only if we are trying to change
> 
>          * the quota ID state. Everything else is allowed in user namespaces.
> 
>          */
> 
> -       if (current_user_ns() != &init_user_ns) {
> 
> +       if (current_user_ns() != &init_user_ns || !capable(CAP_SYS_ADMIN)){
> 
>                 if (old_fa->fsx_projid != fa->fsx_projid)
> 
>                         return -EINVAL;
> 
>                 if ((old_fa->fsx_xflags ^ fa->fsx_xflags) &

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ