Bug 469753

Summary: Enable remote quota support (--enable-rpcsetquota=yes) in RHEL quota utilities
Product: Red Hat Enterprise Linux 5 Reporter: Franco M. Bladilo <bladilo>
Component: quotaAssignee: Petr Pisar <ppisar>
Status: CLOSED ERRATA QA Contact: Martin Cermak <mcermak>
Severity: high Docs Contact:
Priority: medium    
Version: 5.2CC: azelinka, mcermak, ovasik
Target Milestone: rcKeywords: FutureFeature, SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: quota-3.13-2.el5 Doc Type: Enhancement
Doc Text:
The superuser is now able to use the '-r' (remote) option to edit quota limits on a remote system via remote procedure call (RPC) using the standard quota limit utilities. This enables quota limits on file systems which are mounted oven the network.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 22:10:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Franco M. Bladilo 2008-11-03 21:15:25 UTC 
Description of problem:

We implement filesystem quotas for many servers and clusters in campus and this feature is crucial to support the scalability of our centralized NFS services. We can't count on the file service nodes to be able to lookup account credentials for each of the clients.

Version-Release number of selected component (if applicable):

quota-3.13-1.2.5

How reproducible:

Install RHEL5 and try to use the remote "-r" quota feature in all utilities.

Steps to Reproduce:
1.
2.
3.
  
Actual results:

Not able to set quotas remotely.

Expected results:

Being able to set quotas remotely over RPC.

Additional info:
Comment 1 Ondrej Vasik 2008-11-04 07:34:51 UTC 
Thanks for suggestion, I have the same request for Fedora as well but I'm not sure about 100% safety of that feature. That's IMHO one of the reasons why it is not enabled by default in upstream release. Anyway, I would suggest to contact Red Hat product support (Bugzilla is not product support) to give priority such change. It has to be tested quite a lot to make it safe for everyone.
Comment 2 Ondrej Vasik 2008-11-04 14:29:53 UTC 
Additionally - --enable-rpcsetquota=YES only enables setquota -r and edquota -r possibility... this could be easily done by ssh connection to distant machine and running those commands locally - in script it would have the same result for you and no possible security impact for others. Rquotad works over RPC even without that option enabled.
Comment 10 Petr Pisar 2010-07-29 13:56:02 UTC 
We spotted problem that /usr/sbin/rpc.rquotad binary is denied to perform quotactl(SETQUOTA) syscall by SELinux:

type=AVC msg=audit(1280410596.965:31522): avc:  denied  { quotamod } for  pid=6857 comm="rpc.rquotad" scontext=root:system_r:rpcd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1280410596.965:31522): arch=c000003e syscall=179 success=no exit=-13 a0=80000800 a1=2b0680737108 a2=8ae a3=7fff9bfe3490 items=0 ppid=1 pid=6857 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5122 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=root:system_r:rpcd_t:s0 key=(null)

In contrast /usr/sbin/setquota is allowed to do it as has different role:

-rwxr-xr-x. root root system_u:object_r:rpcd_exec_t:s0 /usr/sbin/rpc.rquotad
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/setquota

We need to change /usr/sbin/setquota role or change SELinux policy.
Comment 11 Petr Pisar 2010-08-02 12:03:52 UTC 
SELinux issue has been discussed to mgrepl off-line. New bug against SELinux policy component will be opened.
Comment 12 Martin Cermak 2010-08-04 06:50:29 UTC 
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.

New Contents:
For remote quotas to work with SELinux you have to adjust the rpc.quotad SELinux context until BZ#621057 is resolved.
Comment 16 Martin Prpič 2010-12-10 15:14:36 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-For remote quotas to work with SELinux you have to adjust the rpc.quotad SELinux context until BZ#621057 is resolved.+The superuser is now able to use the '-r' (remote) option to edit quota limits on a remote system via remote procedure call (RPC) using the standard quota limit utilities. This enables quota limits on file systems which are mounted oven the network.
Comment 18 errata-xmlrpc 2011-01-13 22:10:17 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0023.html