From owner-p4-projects@FreeBSD.ORG Sun Aug 3 14:35:42 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 851E837B407; Sun, 3 Aug 2003 14:35:41 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F68037B404 for ; Sun, 3 Aug 2003 14:35:41 -0700 (PDT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A68943FB1 for ; Sun, 3 Aug 2003 14:35:40 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h73LZe0U043314 for ; Sun, 3 Aug 2003 14:35:40 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h73LZdWM043288 for perforce@freebsd.org; Sun, 3 Aug 2003 14:35:39 -0700 (PDT) Date: Sun, 3 Aug 2003 14:35:39 -0700 (PDT) Message-Id: <200308032135.h73LZdWM043288@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Subject: PERFORCE change 35438 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Aug 2003 21:35:43 -0000 http://perforce.freebsd.org/chv.cgi?CH=35438 Change 35438 by rwatson@rwatson_paprika on 2003/08/03 14:35:28 Finish up the quota section; summarize the kernel protections, and the impact of file system protections on the backing files. Affected files ... .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/secarch/chapter.sgml#9 edit Differences ... ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/secarch/chapter.sgml#9 (text+ko) ==== @@ -1605,37 +1605,31 @@ While the file system is in operation and quota support is enabled, the quota file measurements are updated by the kernel as a result of various file operations allocating or freeing - resources. + resources; the backing files are sychronized with the condition + of the file system during the boot process to account for any + operations that occurred while quotas were disabled, or to + address inconsistencies resulting from a crash or improper + dismounted. Operations requiring allocation in excess of the limits for a process will result in an error and message sent to the - controlling terminal for that process (if any). + controlling terminal for that process (if any). + Quota protections are not enforced for the root user. - XXX: only if uid matches that of file. - - -to retrieve quota information, may do so from the quota definition -files (operator readable), or using the system call interface. -the system call interface will succeed if the effective uid of the -process matches that of the requested user, or if the requested -group quota is present in the processes effective or extended -group set. - - - -control the use of disk space by users or groups -resources of interest are #inodes (#files/directories/...) and #blocks -configured per-filesystem, backed into files that may be on that or -another file system (should be owned by root user) -soft/hard distinctions permits warnings -space synchronized at boot, and tracked over I/O operations -users may monitor their own quota, but privilege required to change -quotas (note: bypass of privilege check is possible if quota -databases are not properly protected). - - - XXX: Odd kernel vs non-kernel enforcement of viewing - protections. - + Quota configuration, including the specific values assigned + as quotas, may be performed only by privileged processes. + Quota information may be retrieved by a unprivileged process for + uids and gids that match the effective uid, effective gid, or + extended group of the process credential. + By setting the + security.bsd.unprivileged_get_quota sysctl, + privileged processes may authorize unprivileged processes to + query the quotas of other uids and gids. + As quota information is stored in backing files, the protections + on the backing files must be set correctly to properly + protect quota information and configuration, or direct I/O to + to the backing files may bypass kernel protections. + By default, quota backing files are readable and writable by + the root user, and readable by the operator group.