« September 9, 2003 | Main | September 12, 2003 »

September 11, 2003 Archives

September 11, 2003

Linux NFS, quota, and a kernel bug.

We spent quite some time today tracking down an obscure Linux problem: With the commonly-used user space NFS daemon, quota doesn't seem to propagate over NFS. In theory, quota is enforced on the server-side.

We think we have found the bug; it's in the 2.4 kernel (but we couldn't test that, yet): The user space NFS daemon runs as root, and protects system calls that affect the file system by calling setfsuid(2) in order to drop privileges. setfsuid(2) to a non-root user will clear all capability bits in CAP_FS_MASK. The CAP_SYS_RESOURCE bit (1 << 24) is not included in that mask, and it controls (besides no less than 7 actual capabilities) whether or not quota is enforced.

It's amazing how the complexity introduced by the capability system leads to new bugs, instead of increasing system security.

About September 2003

This page contains all entries posted to No Such Weblog in September 2003. They are listed from oldest to newest.

September 9, 2003 is the previous archive.

September 12, 2003 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.35