From Bugzilla Helper: User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.9-ac10 i686) Description of problem: When doing quota calls to non mountpoints or nonexitents paths through latest rpc.rquotad included in latest quota package quota-3.01pre9-0.7.1 either crashes or leaks memory. Details can be found in email I mailed to linux-quota developers in http://www.cs.helsinki.fi/u/jjaakkol/quotabug.txt . IMHO, crashing services or leaking file server memory counts as a security bug. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.do remote quota query on non mountpoint 2.do remote quota query on non existent directory 3. Additional info:
Third bug found: rpc.rquotad fails to check that remote setquota calls are made from port < 1024. With a trivial change to edquota any user can remotely change any other users quota. There is no way to disable setquota without recompiling rpc.rquotad.
I have made a fixed (and somewhat enhanced) package for my own machines. The packages and patch are available from http://www.cs.helsinki.fi/u/jjaakkol/linuxquota/
It seems that I am talking only to myself here. Anyway, the exactly same problems (including the setquota security hole) are still present in the quota package of RedHat 7.3. These have been fixed a long time ago in the original linuxquota package available from http://sourceforge.net/projects/linuxquota.
Appologies, I've recently been assigned this package while I was engaged in the advanced server and 7.2 alpha contracts so I've had zero time to look at buzilla beyond my normal package scope. Ok,.. it'll take me a few days to knock around this and it'll have to go through QA as well. I'm not terribly sure is rawhide is still active or not but you might see something there tomorrow morning (it updates nightly) Phil =--=
Phil, We are seeing an issue which might be related to this. We have a vanilla RH73 dual AMD box acting as an NFS server to various Suns and HPs over a gigabit fiber NIC. When someone attempts to log into the HP, the HP attempts to check quota, which causes the RH73 rpc.quotad daemon to die *immediately*. The HP quota check eventually times out and the user can continue, but I'd like to fix it. I'm wondering if rpc.quotad is crashing for reasons similar to what jjaakkol.fi is seeing. I don't see anything suspicious in /var/log/messages on the RH73 box. Any idea when something might be available for RH73 to try? - Chris
I just double-checked our Sun. It doesn't check quota on rlogin, but typing 'quota' also instantly kills the RH73 rpc.rquotad daemon: ===================== [root@chilly root]# service nfs status rpc.mountd (pid 5825) is running... nfsd (pid 5837 5836 5835 5834 5833 5832 5831 5830) is running... rpc.rquotad is stopped [root@chilly root]# ===================== - Chris
Any change here?
*** Bug 9038 has been marked as a duplicate of this bug. ***
Better get all quota problems fixed at same errata.
This problem is fixed in quota-3.06-9.7