PERFORCE change 35438 for review

Robert Watson rwatson at
Sun Aug 3 21:35:39 GMT 2003

Change 35438 by rwatson at rwatson_paprika on 2003/08/03 14:35:28

	Finish up the quota section; summarize the kernel protections,
	and the impact of file system protections on the backing files.

Affected files ...

.. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/secarch/chapter.sgml#9 edit

Differences ...

==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/secarch/chapter.sgml#9 (text+ko) ====

@@ -1605,37 +1605,31 @@
 	While the file system is in operation and quota support is
 	enabled, the quota file measurements are updated by the kernel
 	as a result of various file operations allocating or freeing
-	resources.
+	resources; the backing files are sychronized with the condition
+	of the file system during the boot process to account for any
+	operations that occurred while quotas were disabled, or to
+	address inconsistencies resulting from a crash or improper
+	dismounted.
 	Operations requiring allocation in excess of the limits for a
 	process will result in an error and message sent to the
-	controlling terminal for that process (if any).</para>
+	controlling terminal for that process (if any).
+	Quota protections are not enforced for the root user.</para>
-      <para>XXX: only if uid matches that of file.</para>
-to retrieve quota information, may do so from the quota definition
-files (operator readable), or using the system call interface.
-the system call interface will succeed if the effective uid of the
-process matches that of the requested user, or if the requested
-group quota is present in the processes effective or extended
-group set.
-control the use of disk space by users or groups
-resources of interest are #inodes (#files/directories/...) and #blocks
-configured per-filesystem, backed into files that may be on that or
-another file system (should be owned by root user)
-soft/hard distinctions permits warnings
-space synchronized at boot, and tracked over I/O operations
-users may monitor their own quota, but privilege required to change
-quotas (note: bypass of privilege check is possible if quota
-databases are not properly protected).
-      <para>XXX: Odd kernel vs non-kernel enforcement of viewing
-	protections.</para>
+      <para>Quota configuration, including the specific values assigned
+	as quotas, may be performed only by privileged processes.
+	Quota information may be retrieved by a unprivileged process for
+	uids and gids that match the effective uid, effective gid, or
+	extended group of the process credential.
+	By setting the
+	<literal>security.bsd.unprivileged_get_quota</literal> sysctl,
+	privileged processes may authorize unprivileged processes to
+	query the quotas of other uids and gids.
+	As quota information is stored in backing files, the protections
+	on the backing files must be set correctly to properly
+	protect quota information and configuration, or direct I/O to
+	to the backing files may bypass kernel protections.
+	By default, quota backing files are readable and writable by
+	the root user, and readable by the operator group.</para>
     <sect2 id="secarch-chroot">
To Unsubscribe: send mail to majordomo at
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list