Many distributions are willing to let a user mount her own
floppy or CDROM or memory stick, where it is not intended
that a user can crash the system or subvert security.
However, at present an fstab line with "auto" for filesystem type,
allows the user to come with her own maliciously constructed
filesystem, and crash the system - there are many filesystem
types, and the more obscure ones among them are full of bugs.
Less obscure filesystem types still allow an easy denial of service -
for example, if the kernel does a printk() for every filesystem error,
one can keep syslog busy for hours or days, where very little else
happens.
The ext2 filesystem allows one to specify what happens upon error,
for example "panic on error". Now mounting a corrupt ext2 filesystem image
with this bit set causes the kernel to panic voluntarily.
I mentioned such things some time ago to a few people, but they
did not seem impressed.
Still, I think we should try to design a better behaviour.
Part of my proposal for a solution lives in kernel space.
Introduce a mount flag "user mounted". When it is set,
the kernel will not do a printk() for this filesystem,
and certainly will not panic.
On the user space side of things, distributions using "auto" today
might consider changing that into explicit comma-separated lists
of alternatives, so that adding new untested filesystems to the kernel
does not increase the risk of running that kernel.
Andries
On Sun, 27 Nov 2005, [email protected] wrote:
> Part of my proposal for a solution lives in kernel space.
> Introduce a mount flag "user mounted". When it is set,
> the kernel will not do a printk() for this filesystem,
Rate limiting seems like a better solution to me.
You can't rate limit a panic.
It would be better to fix the filesytem bugs instead of adding
security measures preventing crashing filesystems to crash the rest of
the kernel.
And to catch every possible crash of filesystem code would be a lot
more work than fixing the filesystems themselves AFAIK.
Regards,
Bas
On 11/27/05, Tim Schmielau <[email protected]> wrote:
> On Sun, 27 Nov 2005, [email protected] wrote:
>
> > Part of my proposal for a solution lives in kernel space.
> > Introduce a mount flag "user mounted". When it is set,
> > the kernel will not do a printk() for this filesystem,
>
> Rate limiting seems like a better solution to me.
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
--
Bas Westerbaan
http://blog.w-nz.com/
GPG Public Keys: http://w-nz.com/keys/bas.westerbaan.asc