[743] in linux-security and linux-alert archive
Re: [linux-security] ext2fs file attributes -- denial-of-service attack
daemon@ATHENA.MIT.EDU (Remy Card)
Sun Jun 2 12:48:49 1996
From: card@excalibur.ibp.fr (Remy Card)
To: A.Main@dcs.warwick.ac.uk (Zefram)
Date: Sun, 2 Jun 1996 15:05:10 +0200 (MET DST)
Cc: linux-security@tarsier.cv.nrao.edu, torvalds@cs.helsinki.fi
In-Reply-To: <6729.199605302020@stone.dcs.warwick.ac.uk> from Zefram at "May 30, 96 09:20:46 pm"
About the append-only attribute:
> The only possible solution is to modify the semantics of the
> append-only attribute in the kernel. There are three likely
> approaches: (1) setting the append-only flag can be limited to
> privileged processes; (2) the linking-related effects of the flag can
> be removed, bringing it in line with the description in the chattr man
> page; (3) the effects of the flag could be made to have no effect on
> privileged processes. (3) opens some security holes itself, but should
> be borne in mind. I produced a patch implementing (2) some time ago,
> but it the relevant kernel developers say that (1) is the preferred
> approach.
Well, (1) is really the way to go, I think, and that is how it is
implemented in 4.4BSD (Ok, I did not look carefully enough when implementing
the append-only and immutable attributes and I did make a mistake). Here
is the patch to implement (1):
--- linux/fs/ext2/ioctl.c.orig Sun Jun 2 14:46:16 1996
+++ linux/fs/ext2/ioctl.c Sun Jun 2 14:59:39 1996
@@ -37,11 +37,12 @@
return err;
flags = get_user((int *) arg);
/*
- * The IMMUTABLE flag can only be changed by the super user
- * when the security level is zero.
+ * The IMMUTABLE and APPEND_ONLY flags can only be changed by
+ * the super user when the security level is zero.
*/
- if ((flags & EXT2_IMMUTABLE_FL) ^
- (inode->u.ext2_i.i_flags & EXT2_IMMUTABLE_FL)) {
+ if ((flags & (EXT2_APPEND_FL | EXT2_IMMUTABLE_FL)) ^
+ (inode->u.ext2_i.i_flags &
+ (EXT2_APPEND_FL | EXT2_IMMUTABLE_FL))) {
/* This test looks nicer. Thanks to Pauline Middelink */
if (!fsuser() || securelevel > 0)
return -EPERM;
Linus, can you please integrate it before 2.0 is released?
Thanks!
> --
> Andrew Main <zefram@dcs.warwick.ac.uk>
Remy