Thread (30 messages) 30 messages, 6 authors, 2021-07-01

Re: [RFC PATCH 0/1] xattr: Allow user.* xattr on symlink/special files if caller has CAP_SYS_RESOURCE

From: Casey Schaufler <casey@schaufler-ca.com>
Date: 2021-07-01 16:58:39
Also in: linux-fsdevel, lkml, selinux

On 7/1/2021 6:10 AM, Vivek Goyal wrote:
On Thu, Jul 01, 2021 at 09:48:33AM +0100, Dr. David Alan Gilbert wrote:
quoted
* Theodore Ts'o (tytso@mit.edu) wrote:
quoted
On Wed, Jun 30, 2021 at 04:01:42PM +0100, Dr. David Alan Gilbert wrote:
quoted
Even if you fix symlinks, I don't think it fixes device nodes or
anything else where the permissions bitmap isn't purely used as the
permissions on the inode.
I think we're making a mountain out of a molehill.  Again, very few
people are using quota these days.  And if you give someone write
access to a 8TB disk, do you really care if they can "steal" 32k worth
of space (which is the maximum size of an xattr, enforced by the VFS).

OK, but what about character mode devices?  First of all, most users
don't have access to huge number of devices, but let's assume
something absurd.  Let's say that a user has write access to *1024*
devices.  (My /dev has 233 character mode devices, and I have write
access to well under a dozen.)

An 8TB disk costs about $200.  So how much of the "stolen" quota space
are we talking about, assuming the user has access to 1024 devices,
and the file system actually supports a 32k xattr.

    32k * 1024 * $200 / 8TB / (1024*1024*1024) = $0.000763 = 0.0763 cents

A 2TB SSD is less around $180, so even if we calculate the prices
based on SSD space, we're still talking about a quarter of a penny.

Why are we worrying about this?
I'm not worrying about storage cost, but we would need to define what
the rules are on who can write and change a user.* xattr on a device
node.  It doesn't feel sane to make it anyone who can write to the
device; then everyone can start leaving droppings on /dev/null.

The other evilness I can imagine, is if there's a 32k limit on xattrs on
a node, an evil user could write almost 32k of junk to the node
and then break the next login that tries to add an acl or breaks the
next relabel.
I guess 64k is per xattr VFS size limit.

#define XATTR_SIZE_MAX 65536

I just wrote a simple program to write "user.<N>" xattrs of size 1K
each and could easily write 1M xattrs. So that 1G worth data right
there. I did not try to push it further.

So a user can write lot of data in the form of user.* xattrs on
symlinks and device nodes if were to open it unconditionally. Hence
permission semantics will probably will have to defined properly.

I am wondering will it be alright if owner of the file (or CAP_FOWNER),
is allowed to write user.* xattrs on symlinks and special files.
That would be sensible.
That's independent of your xattr mapping scheme.
Vivek
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help