TUCoPS :: Linux :: General :: linuxfs.txt

users can override quotas and kernel resource limits by storing data inside filenames. 


[ http://www.rootshell.com/ ]

Date:         Sun, 5 Jul 1998 10:12:43 +0200
From:         Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Subject:      Linux kernel filesystem oddities

-----BEGIN PGP SIGNED MESSAGE-----

Any amount of data, overriding quotas and kernel resource limits, can be
stored in root-owned +t directory (like /tmp) - inside... filenames!
It sounds strange, so here's an example: hard-links to root-owned files
are NOT owned by you (so you may create any amount of them). I'm assuming
directory isn't owned by you, also... And every filename can store over
100 bytes of data (255 characters). So, to store 1 MB, you need about 10000
hardlinks - it isn't such a big number. Stored data will be accounted only
in directory size, and, as long as this dir is root-owned, only root will be
charged for it.

Ah, the same problems are with FIFOs created in root-owned dirs, because
FIFO is not treated as file.

To Alan: You might not argue with me, but I think there's something wrong with
Linux philosophy, if any user is able to bypass kernel file limits and quotas.
But it seems to be hard to fix. FIFO (and maybe other 'non-file' objects) should
be probably treated as ordinary file when calculating quota. But there will be
problem with hard-links - creator of this object is not saved anywhere, and
his UID might be not equal to owner UID - so we can't determine who is
'responsible', and who should be accounted for it. Btw. it causes also other problems:
luser can create hard-link to other user's file and move it to +t directory, but
he will be unable to delete or move it back from this directory, because he isn't
an owner.

PS. Solar Designer's secure-linux-03 patch fixes at least hard-link
problems.

_______________________________________________________________________
Michal Zalewski [lcamtuf@boss.staszic.waw.pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBNZ81L5ZGvqO8h0ppAQHqKwP/SDh9Yc74qypHrzdbQ7m+us9v5Blts67o
KEya466w2QMt2seI8UISQxI5mL/aadvRfX2Xq0cLBDRsbPh2kIE7ARQiaAOHPpqR
WSL35XagUD6IIg4NFOYWg7sm8uo9RhCiETQeMW4pcgDOhIDa2SsoFmd3fWzLfeWX
Z16J+goEyCc=
=GRMz
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH