September 17th, 2009

Easiest way to corrupt ext2/3 filesystem

Step 1: Okay, this is /data partition, I want my user to be able to manipulate it. chown pavel.users /data.

Step 2: Hmm, I created some backup directories here, lets move them to common place.

cd /data; mkdir backup; mv * backup

(do you spot it now?)

Step 3: Verify the filesystem is still ok... it is not:

root@amd:~# time fsck -f /dev/sdb2
fsck 1.41.3 (12-Oct-2008)
e2fsck 1.41.3 (12-Oct-2008)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
/lost+found not found.  Create? no

Pass 3A: Optimizing directories

Pass 4: Checking reference counts
Pass 5: Checking group summary information

/dev/sdb2: ***** FILE SYSTEM WAS MODIFIED *****

/dev/sdb2: ********** WARNING: Filesystem still has errors **********

Now... essentialy unpriviledged user "corrupted" my filesystem. Was I too stupid to give him access? Should missing /lost+found not be treated as filesystem error? Should kernel refuse users rm-ing /lost+found? Should maybe lost+found be named .lost+found, so the "corruption" is not as easy to trigger?

In retrospect, yes I should have expected it. But... did you spot it after step 2?