Bug 469753 - Enable remote quota support (--enable-rpcsetquota=yes) in RHEL quota utilities
Enable remote quota support (--enable-rpcsetquota=yes) in RHEL quota utilities
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: quota (Show other bugs)
5.2
All Linux
medium Severity high
: rc
: ---
Assigned To: Petr Pisar
Martin Cermak
: FutureFeature, SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-03 16:15 EST by Franco M. Bladilo
Modified: 2011-01-13 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version: quota-3.13-2.el5
Doc Type: Enhancement
Doc Text:
The superuser is now able to use the '-r' (remote) option to edit quota limits on a remote system via remote procedure call (RPC) using the standard quota limit utilities. This enables quota limits on file systems which are mounted oven the network.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 17:10:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Franco M. Bladilo 2008-11-03 16:15:25 EST
Description of problem:

We implement filesystem quotas for many servers and clusters in campus and this feature is crucial to support the scalability of our centralized NFS services. We can't count on the file service nodes to be able to lookup account credentials for each of the clients.

Version-Release number of selected component (if applicable):

quota-3.13-1.2.5

How reproducible:

Install RHEL5 and try to use the remote "-r" quota feature in all utilities.

Steps to Reproduce:
1.
2.
3.
  
Actual results:

Not able to set quotas remotely.

Expected results:

Being able to set quotas remotely over RPC.

Additional info:
Comment 1 Ondrej Vasik 2008-11-04 02:34:51 EST
Thanks for suggestion, I have the same request for Fedora as well but I'm not sure about 100% safety of that feature. That's IMHO one of the reasons why it is not enabled by default in upstream release. Anyway, I would suggest to contact Red Hat product support (Bugzilla is not product support) to give priority such change. It has to be tested quite a lot to make it safe for everyone.
Comment 2 Ondrej Vasik 2008-11-04 09:29:53 EST
Additionally - --enable-rpcsetquota=YES only enables setquota -r and edquota -r possibility... this could be easily done by ssh connection to distant machine and running those commands locally - in script it would have the same result for you and no possible security impact for others. Rquotad works over RPC even without that option enabled.
Comment 10 Petr Pisar 2010-07-29 09:56:02 EDT
We spotted problem that /usr/sbin/rpc.rquotad binary is denied to perform quotactl(SETQUOTA) syscall by SELinux:

type=AVC msg=audit(1280410596.965:31522): avc:  denied  { quotamod } for  pid=6857 comm="rpc.rquotad" scontext=root:system_r:rpcd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1280410596.965:31522): arch=c000003e syscall=179 success=no exit=-13 a0=80000800 a1=2b0680737108 a2=8ae a3=7fff9bfe3490 items=0 ppid=1 pid=6857 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5122 comm="rpc.rquotad" exe="/usr/sbin/rpc.rquotad" subj=root:system_r:rpcd_t:s0 key=(null)

In contrast /usr/sbin/setquota is allowed to do it as has different role:

-rwxr-xr-x. root root system_u:object_r:rpcd_exec_t:s0 /usr/sbin/rpc.rquotad
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/setquota

We need to change /usr/sbin/setquota role or change SELinux policy.
Comment 11 Petr Pisar 2010-08-02 08:03:52 EDT
SELinux issue has been discussed to mgrepl off-line. New bug against SELinux policy component will be opened.
Comment 12 Martin Cermak 2010-08-04 02:50:29 EDT
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.

New Contents:
For remote quotas to work with SELinux you have to adjust the rpc.quotad SELinux context until BZ#621057 is resolved.
Comment 16 Martin Prpič 2010-12-10 10:14:36 EST
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-For remote quotas to work with SELinux you have to adjust the rpc.quotad SELinux context until BZ#621057 is resolved.+The superuser is now able to use the '-r' (remote) option to edit quota limits on a remote system via remote procedure call (RPC) using the standard quota limit utilities. This enables quota limits on file systems which are mounted oven the network.
Comment 18 errata-xmlrpc 2011-01-13 17:10:17 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0023.html

Note You need to log in before you can comment on or make changes to this bug.