JFFS2/xattr problems.

KaiGai Kohei kaigai at kaigai.gr.jp
Tue Jun 13 09:36:59 EDT 2006

Hi, Jörn

> Seems you missed Ted's presentation at LCA this year.  Among the
> interesting bits:

If this presentation is public, could you tell me the URL?
This indication is highly suggestive for me.
Especially, I have not imagine yet the possibility that
malware uses xattr to hide itself.


> o Pretty much anything on Linux is limited to 64KiB or less.
> o Ext[23] is limited to 4KiB total for all attributes, including all
>   keys and all values.
> o The biggest user of Alternate Streams (less-limited versions of
>   xattr on Windows, Solaris, etc.) arguably is root kits.  Alternate
>   Streams have the advantage that tripwire etc. don't understand them
>   and won't look for malware there.
> o Some system administrators have no plans to upgrade to Solaris 9
>   ever, because it supports Alternate Streams.  The trouble of hidden
>   malware is not worth the gains.
> Notable was also, that Ted repeated the last two points in several
> variations.  Not sure if I would follow his line of thought 100%, but
> he does have a point.
> Jörn
KaiGai Kohei <kaigai at kaigai.gr.jp>

More information about the linux-mtd mailing list