[Bug 214665] New: security bug:using "truncate" bypass disk quotas limit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.kernel.org/show_bug.cgi?id=214665

            Bug ID: 214665
           Summary: security bug:using "truncate" bypass disk quotas limit
           Product: File System
           Version: 2.5
    Kernel Version: 3.10.0-1160.36.2.el7.x86_64
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@xxxxxxxxxxxxxxxxxxxx
          Reporter: 1157599735@xxxxxx
        Regression: No

* Overview

  system user can bypass "disk quota limit" using "truncate -s 10T id" command
(that can create a file whose size is 10T).

* Steps to Reproduce

  1. create a user and setup a disk quota for this user

    create user "test"
    ```
    useradd test
    ```

    create filesystem
    ```
    [root@vm10-50-0-18 ~]# dd if=/dev/zero of=ext4 bs=1G count=1
    [root@vm10-50-0-18 ~]# mkfs.ext4 ext4
    [root@vm10-50-0-18 ~]# mkdir -p /tmp/test && chmod -R 777 /tmp/test &&
mount -o usrquota,grpquota ext4 /tmp/test
    ```

    setup disk quota
    ```
    [root@vm10-50-0-18 ~]# quotacheck -u /tmp/test/       # create
"aquota.user" file
    [root@vm10-50-0-18 ~]# edquota -u test
    [root@vm10-50-0-18 ~]# quotaon /tmp/test/ -u    # open quota service
    ```

    the quota setting is like below: user "test" can not use disk space which
size exceed 10K.
    ```
    Disk quotas for user test (uid 1000):
    Filesystem                   blocks       soft       hard     inodes    
soft     hard
    /dev/loop0                        0          10          10          0     
  0        0
    ```

  2. verify the quota limit using "dd"

    ```
    [root@vm10-50-0-18 ~]# su - test
    上一次登录:六 10月  9 18:14:31 CST 2021pts/1 上
    [test@vm10-50-0-18 ~]$ dd if=/dev/zero of=/tmp/test/id bs=20K count=1
    loop0: write failed, user block limit reached.            # yes,this limit
is as expected
    dd: error writing ‘/tmp/test/id’: Disk quota exceeded
    1+0 records in
    0+0 records out
    8192 bytes (8.2 kB) copied, 0.000221445 s, 37.0 MB/s
    ```

    this result is as expected: "test" user can not write file whose size is
more than 10K.

  3. verify the quota limit using "truncate"

    ```
    [test@vm10-50-0-18 test]$ truncate -s 10T id
    [test@vm10-50-0-18 test]$ ll -h id
    -rw-rw-r-- 1 test test 10T Oct  9 17:16 id
    ```

    actual results is: "test" user can create file whose size is 10T, larger
more than 10K

    expected result is: like "dd result" above,  "test" user can not write file
whose size is more than 10K.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.



[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux