Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 08 Aug 1998 19:01:23 -0400
From:      Dan Swartzendruber <dswartz@druber.com>
To:        Tom <tom@uniserve.com>
Cc:        Joe Gleason <clash@tasam.com>, freebsd-stable@FreeBSD.ORG
Subject:   Re: Quota bug crashing system?
Message-ID:  <3.0.5.32.19980808190123.00941670@mail.kersur.net>
In-Reply-To: <Pine.BSF.3.96.980808153328.3139C-100000@shell.uniserve.ca>
References:  <3.0.5.32.19980808152803.0094d820@mail.kersur.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

At 03:48 PM 8/8/98 -0700, Tom wrote:
>
>On Sat, 8 Aug 1998, Dan Swartzendruber wrote:
>
>> Speaking of quotas, maybe someone can enlighten me on a quota
>> related issue: it seems that (at least as some 6 months or so ago),
>> 2.2 didn't correctly handle SUID programs.  e.g. if a SUID root
>> process has done setuid() (whichever flavor) to some less privileged
>> UID, the original (root) quota continues to apply.  This is arguably
>> a bug.  From what I can tell looking at the code, the decision about
>
>  Not quite.  Quotas are done by file ownership, not the current uid.
>
>  You should check that the file you are writing to is owned by someone
>with the appropiate quota.

Sorry, this is incorrect.  I did do at least the minimal diligence to
read through the code enough to understand this.  Also, proving it by
writing a trivial program that reproduces the bug (by setuid() to a
user with a quota entry for the FS in question.  The program, which is
SUID root, can exceed the quota with no problems).  Here is one of the
problematic places (in ufs/ufs/ufs_quota.c):

        /*
         * If user would exceed their hard limit, disallow space allocation.
         */
        if (ncurblocks >= dq->dq_bhardlimit && dq->dq_bhardlimit) {
                if ((dq->dq_flags & DQ_BLKS) == 0 &&
                    ip->i_uid == cred->cr_uid) {
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^
                        uprintf("\n%s: write failed, %s disk limit reached\n",
                            ITOV(ip)->v_mount->mnt_stat.f_mntonname,
                            quotatypes[type]);
                        dq->dq_flags |= DQ_BLKS;
                }
                return (EDQUOT);
        }
 
The underlined check is the problem.  From what I can tell, the credential
in question is generated when the process is created (at which time it has
a uid of zero, and that is the effective quota UID forevermore).



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.19980808190123.00941670>