Date: Sun, 3 Aug 2003 14:35:39 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 35438 for review Message-ID: <200308032135.h73LZdWM043288@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=35438 Change 35438 by rwatson@rwatson_paprika on 2003/08/03 14:35:28 Finish up the quota section; summarize the kernel protections, and the impact of file system protections on the backing files. Affected files ... .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/secarch/chapter.sgml#9 edit Differences ... ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/secarch/chapter.sgml#9 (text+ko) ==== @@ -1605,37 +1605,31 @@ While the file system is in operation and quota support is enabled, the quota file measurements are updated by the kernel as a result of various file operations allocating or freeing - resources. + resources; the backing files are sychronized with the condition + of the file system during the boot process to account for any + operations that occurred while quotas were disabled, or to + address inconsistencies resulting from a crash or improper + dismounted. Operations requiring allocation in excess of the limits for a process will result in an error and message sent to the - controlling terminal for that process (if any).</para> + controlling terminal for that process (if any). + Quota protections are not enforced for the root user.</para> - <para>XXX: only if uid matches that of file.</para> - -<para> -to retrieve quota information, may do so from the quota definition -files (operator readable), or using the system call interface. -the system call interface will succeed if the effective uid of the -process matches that of the requested user, or if the requested -group quota is present in the processes effective or extended -group set. -</para> - -<para> -control the use of disk space by users or groups -resources of interest are #inodes (#files/directories/...) and #blocks -configured per-filesystem, backed into files that may be on that or -another file system (should be owned by root user) -soft/hard distinctions permits warnings -space synchronized at boot, and tracked over I/O operations -users may monitor their own quota, but privilege required to change -quotas (note: bypass of privilege check is possible if quota -databases are not properly protected). -</para> - - <para>XXX: Odd kernel vs non-kernel enforcement of viewing - protections.</para> - + <para>Quota configuration, including the specific values assigned + as quotas, may be performed only by privileged processes. + Quota information may be retrieved by a unprivileged process for + uids and gids that match the effective uid, effective gid, or + extended group of the process credential. + By setting the + <literal>security.bsd.unprivileged_get_quota</literal> sysctl, + privileged processes may authorize unprivileged processes to + query the quotas of other uids and gids. + As quota information is stored in backing files, the protections + on the backing files must be set correctly to properly + protect quota information and configuration, or direct I/O to + to the backing files may bypass kernel protections. + By default, quota backing files are readable and writable by + the root user, and readable by the operator group.</para> </sect2> <sect2 id="secarch-chroot">
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308032135.h73LZdWM043288>