2008-07-27 10:34:32

by Rohit Sharma

[permalink] [raw]
Subject: Multiple Data Stream

Does ext2/ext3 supports multiple data streams.


2008-07-27 23:05:04

by Theodore Ts'o

[permalink] [raw]
Subject: Re: Multiple Data Stream

On Sun, Jul 27, 2008 at 04:04:32PM +0530, Rohit Sharma wrote:
> Does ext2/ext3 supports multiple data streams.

No. The primary use of alternate data streams in Windows XP has been
Virii, Trojan Horses, and Rootkits. See this article by Rick Cook,
"Alternate Data Streams: Threat or Menace:"

http://www.informit.com/articles/article.aspx?p=413685

(Threat or Menace? Menance or Threat? Or to quote Bugs Bunny/Daffy
Duck, "Would you like to shoot me now or wait till you get home?" :-)

I've heard stories of System Administrators refusing to upgrade past
Solaris 8 because of concerns of attackers being able to use the
alternate data streams feature which Sun unfortunately added in
Solaris 9 to hide rootkits in ways that traditional scanning tools
would not be able to detect.

I've yet to see a coherent argument for why multiple data streams is
worth it....

- Ted


Bugs Bunny: Would you like to shoot me now or wait 'til you get home?
Daffy Duck: Shoot him now! Shoot him now!
Bugs Bunny: You keep outta this! He doesn't have to shoot you now!
Daffy Duck: He does SO have to shoot me now!
[to Elmer]
Daffy Duck: I demand that you shoot me now!
[Elmer raises his gun. As Daffy sticks his tongue out at Bugs, he is shot]


Daffy Duck: Let'th run through that again.
Bugs Bunny: Okay.
[neutral toned]
Bugs Bunny: Wouldja like to shoot me now or wait till ya get home.
Daffy Duck: [neutral toned] Shoot him now, shoot him now.
Bugs Bunny: [neutral toned] You keep outta dis, he doesn't hafta shoot you now.
Daffy Duck: [with expression] HA! THAT'TH IT! HOLD IT RIGHT THERE!
[to audience]
Daffy Duck: Pronoun trouble.
[to Bugs]
Daffy Duck: It'th not "He doethn't have to shoot
[pointing to Bugs]
Daffy Duck: *you* now." It'th "He doethn't have to shoot
[pointing to himself]
Daffy Duck: *me* now."
[with anger]
Daffy Duck: Well, *I* thay he *does* have to shoot me now!
[to Elmer]
Daffy Duck: THO SHOOT ME NOW!
[Elmer shoots him]

2008-07-28 19:30:24

by SandeepKsinha

[permalink] [raw]
Subject: Re: Multiple Data Stream



Theodore Tso wrote:
>
> On Sun, Jul 27, 2008 at 04:04:32PM +0530, Rohit Sharma wrote:
>> Does ext2/ext3 supports multiple data streams.
>
> No. The primary use of alternate data streams in Windows XP has been
> Virii, Trojan Horses, and Rootkits. See this article by Rick Cook,
> "Alternate Data Streams: Threat or Menace:"
>
>
> http://www.informit.com/articles/article.aspx?p=413685
>
> (Threat or Menace? Menance or Threat? Or to quote Bugs Bunny/Daffy
> Duck, "Would you like to shoot me now or wait till you get home?" :-)
>
> I've heard stories of System Administrators refusing to upgrade past
> Solaris 8 because of concerns of attackers being able to use the
> alternate data streams feature which Sun unfortunately added in
> Solaris 9 to hide rootkits in ways that traditional scanning tools
> would not be able to detect.
>
> I've yet to see a coherent argument for why multiple data streams is
> worth it....
>
>

Hey Ted,
I am a newbie into these filesystems but I can see the positive sides of
these Alternate Data Streams or multiple data streams too, needless to
mention those.

If you look a bit more deeper into it, in my perspective and the kind of
implementation I look forward to, here is what I have.

Access to the multiple data stream can be done through a file descriptor.
Applications can open the multiple data stream to get a file descriptor and
can do read(), write(), mmap().. using the file descriptor. These system
calls would work as if it is been operated on a regular file.
The multiple data streams of a file will be stored in a hidden named data
stream directory inode associated with the file. The hidden directory inode
for the file can be accessed only through the multiple data stream API.

Now, as the multiple data streams has their own associated inodes, we could
store the access permission as well as the owner/group information in the
multiple data stream inode. This way the access control for the multiple
data stream can be controlled by the permissions stored in the multiple data
stream inode.
We could have a model where we use the permissions on the parent file
to be used to check the accessibility of the alternate data stream. It would
also make great sense to me, if we just add a fall back to the kernel to
decide whether a user with particular credentials, should be allowed to
access/make changes to these multiple data streams that are associated with
the file.

To add more to it, any regular file can be created in a regular way but
whatever mechanism is used to create these multiple data streams associated
with the regular file will surely undergo a permission check by the
underlying OS or the filesystem.

Thanks & Regards,
SandeepKsinha.



>
> - Ted
>
>
> Bugs Bunny: Would you like to shoot me now or wait 'til you get home?
> Daffy Duck: Shoot him now! Shoot him now!
> Bugs Bunny: You keep outta this! He doesn't have to shoot you now!
> Daffy Duck: He does SO have to shoot me now!
> [to Elmer]
> Daffy Duck: I demand that you shoot me now!
> [Elmer raises his gun. As Daffy sticks his tongue out at Bugs, he is shot]
>
>
> Daffy Duck: Let'th run through that again.
> Bugs Bunny: Okay.
> [neutral toned]
> Bugs Bunny: Wouldja like to shoot me now or wait till ya get home.
> Daffy Duck: [neutral toned] Shoot him now, shoot him now.
> Bugs Bunny: [neutral toned] You keep outta dis, he doesn't hafta shoot you
> now.
> Daffy Duck: [with expression] HA! THAT'TH IT! HOLD IT RIGHT THERE!
> [to audience]
> Daffy Duck: Pronoun trouble.
> [to Bugs]
> Daffy Duck: It'th not "He doethn't have to shoot
> [pointing to Bugs]
> Daffy Duck: *you* now." It'th "He doethn't have to shoot
> [pointing to himself]
> Daffy Duck: *me* now."
> [with anger]
> Daffy Duck: Well, *I* thay he *does* have to shoot me now!
> [to Elmer]
> Daffy Duck: THO SHOOT ME NOW!
> [Elmer shoots him]
> --
> To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>

--
View this message in context: http://www.nabble.com/Multiple-Data-Stream-tp18675139p18697577.html
Sent from the linux-ext4 mailing list archive at Nabble.com.


2008-07-28 20:15:18

by Theodore Ts'o

[permalink] [raw]
Subject: Re: Multiple Data Stream

On Mon, Jul 28, 2008 at 12:30:23PM -0700, SandeepKsinha wrote:
> I am a newbie into these filesystems but I can see the positive sides of
> these Alternate Data Streams or multiple data streams too, needless to
> mention those.
>
> If you look a bit more deeper into it, in my perspective and the kind of
> implementation I look forward to, here is what I have.

You've explained *how* to do it, but not *why* it would be a good
idea. I'm aware that it's not that difficult to do. But it becomes a
mess for system administrators. Most backup tools won't know how to
deal with alternate data streams, so they won't be backed up
correctly. rsync, ftp, zip, scp, etc., all don't deal with alternate
data streams, so the potential for data loss is limitless.

> Access to the multiple data stream can be done through a file descriptor.
> Applications can open the multiple data stream to get a file descriptor and
> can do read(), write(), mmap().. using the file descriptor. These system
> calls would work as if it is been operated on a regular file.
> The multiple data streams of a file will be stored in a hidden named data
> stream directory inode associated with the file. The hidden directory inode
> for the file can be accessed only through the multiple data stream API.

Yes, I'm aware that this is how Solaris 9 implemented alternate data
streams. For a good time, assuming that /var/tmp/demo_file is a file
that contains alternate data forks owned by an unprivileged user, try
this command as that unprivileged user: "runat /var/tmp/demo_file chmod 0 ."

Now try to get access to the alternate data forks; there is no way to
recover without root access. Lovely, eh?

- Ted