[systemd-devel] /run DoS

[Michał Piotrowski]

W dniu 3 kwietnia 2011 23:14 użytkownik Lennart Poettering
<mzerqung at 0pointer.de> napisał:
> On Sun, 03.04.11 23:05, Michał Piotrowski (mkkp4x4 at gmail.com) wrote:
>
>>
>> W dniu 3 kwietnia 2011 22:39 użytkownik Lennart Poettering
>> <mzerqung at 0pointer.de> napisał:
>> > On Sun, 03.04.11 13:54, Lennart Poettering (mzerqung at 0pointer.de) wrote:
>> >
>> >> On Sun, 03.04.11 13:10, Michał Piotrowski (mkkp4x4 at gmail.com) wrote:
>> >>
>> >> > Hi,
>> >> >
>> >> > I can write to /run/user/michal in this way I can fill the entire free
>> >> > tmpfs space which is not good from my POV.
>> >>
>> >> Yupp, this is trivially fixable by placing another tmpfs on /run/user,
>> >> which can be done by installing a run-user.mount unit.
>> >>
>> >> We considered doing so by default, but stepped back a little, since we
>> >> didn't want to add another tmpfs to the mix, just like that. But yeah,
>> >> we probably should do that.
>> >
>> > We have the same vulnerability on /dev/shm btw.
>> >
>> > For now Kay and I are leaning to leaving things as they are for now, and
>> > count on that the kernel folks add quota support to tmpfs one day, since
>> > that appears the correct fix.
>>
>> Of course it will be the best solution. But I doubt it will happen in
>> a next few weeks - so some temporary workaround for F15 would be
>> appreciated. It seems to me that this is a too serious problem to
>> release F15 without fixing/workarounding it somehow.
>
> Well, /run/user can be fixed trivially, just by adding a separate tmpfs
> for it.

As I said - I think that this will be best solution for now.

> But for /dev/shm I see no quick fix... do you?

Unfortunately not. No one foresaw that quota support on tmpfs will
someday be useful :)

>
> I think we should fix either both or should wait for the proper fix by
> the kernel.

Can you temporarily fix one?

>
> Lennart
>
> --
> Lennart Poettering - Red Hat, Inc.
>



-- 
Best regards,
Michal

http://eventhorizon.pl/