Bug 53718 - rpc.rquotad crashes and leaks memory
rpc.rquotad crashes and leaks memory
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: quota (Show other bugs)
7.3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Dickson
Brock Organ
http://www.cs.helsinki.fi/u/jjaakkol/...
: Security
: 9038 (view as bug list)
Depends On:
Blocks: 90914
  Show dependency treegraph
 
Reported: 2001-09-16 15:04 EDT by jjaakkol
Modified: 2007-04-18 12:37 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-06-02 13:26:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description jjaakkol 2001-09-16 15:04:50 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.9-ac10 i686)

Description of problem:
When doing quota calls to non mountpoints or nonexitents paths through
latest rpc.rquotad included in latest quota package quota-3.01pre9-0.7.1
either crashes
or leaks memory. Details can be found in email I mailed to  linux-quota
developers in http://www.cs.helsinki.fi/u/jjaakkol/quotabug.txt . IMHO,
crashing services or leaking file server memory counts as a security bug.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.do remote quota query on non mountpoint
2.do remote quota query on non existent directory
3.
	

Additional info:
Comment 1 jjaakkol 2001-09-17 06:32:02 EDT
Third bug found: rpc.rquotad fails to check that remote setquota calls are made
from port < 1024. With a trivial change to edquota any user can remotely change
any other users quota. There is no way to disable setquota
without recompiling rpc.rquotad.
Comment 2 jjaakkol 2001-09-18 14:36:45 EDT
I have made a fixed (and somewhat enhanced) package for my own machines. The
packages and patch are available from
http://www.cs.helsinki.fi/u/jjaakkol/linuxquota/
Comment 3 jjaakkol 2002-05-23 10:33:19 EDT
It seems that I am talking only to myself here. Anyway, the exactly same 
problems (including the setquota security hole) are still present in the
quota package of RedHat 7.3. These have been fixed a long time ago in
the original linuxquota package available from 
http://sourceforge.net/projects/linuxquota.
Comment 4 Phil Copeland 2002-05-23 10:43:13 EDT
Appologies, I've recently been assigned this package while I was engaged in the
advanced server and 7.2 alpha contracts so I've had zero time to look at buzilla
beyond my normal package scope.

Ok,.. it'll take me a few days to knock around this and it'll have to go through
QA as well. I'm not terribly sure is rawhide is still active or not but you
might see something there tomorrow morning (it updates nightly)

Phil
=--=
Comment 5 Need Real Name 2002-05-31 01:22:56 EDT
Phil,

We are seeing an issue which might be related to this.  We have a vanilla RH73 
dual AMD box acting as an NFS server to various Suns and HPs over a gigabit 
fiber NIC.  When someone attempts to log into the HP, the HP attempts to check 
quota, which causes the RH73 rpc.quotad daemon to die *immediately*.  The HP 
quota check eventually times out and the user can continue, but I'd like to fix 
it.

I'm wondering if rpc.quotad is crashing for reasons similar to what 
jjaakkol@cs.helsinki.fi is seeing.  I don't see anything suspicious 
in /var/log/messages on the RH73 box.  Any idea when something might be 
available for RH73 to try?

 - Chris

Comment 6 Need Real Name 2002-05-31 01:54:02 EDT
I just double-checked our Sun.  It doesn't check quota on rlogin, but 
typing 'quota' also instantly kills the RH73 rpc.rquotad daemon:

=====================
[root@chilly root]# service nfs status
rpc.mountd (pid 5825) is running...
nfsd (pid 5837 5836 5835 5834 5833 5832 5831 5830) is running...
rpc.rquotad is stopped
[root@chilly root]#
=====================

 - Chris

Comment 7 Kjartan Maraas 2003-03-31 15:39:44 EST
Any change here?
Comment 8 Jay Turner 2003-04-14 14:07:02 EDT
*** Bug 9038 has been marked as a duplicate of this bug. ***
Comment 9 Petri T. Koistinen 2003-05-17 18:09:26 EDT
Better get all quota problems fixed at same errata.
Comment 10 Steve Dickson 2003-06-02 13:26:55 EDT
This problem is fixed in quota-3.06-9.7

Note You need to log in before you can comment on or make changes to this bug.