Red Hat Bugzilla – Bug 53718
rpc.rquotad crashes and leaks memory
Last modified: 2007-04-18 12:37:10 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.9-ac10 i686)
Description of problem:
When doing quota calls to non mountpoints or nonexitents paths through
latest rpc.rquotad included in latest quota package quota-3.01pre9-0.7.1
or leaks memory. Details can be found in email I mailed to linux-quota
developers in http://www.cs.helsinki.fi/u/jjaakkol/quotabug.txt . IMHO,
crashing services or leaking file server memory counts as a security bug.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.do remote quota query on non mountpoint
2.do remote quota query on non existent directory
Third bug found: rpc.rquotad fails to check that remote setquota calls are made
from port < 1024. With a trivial change to edquota any user can remotely change
any other users quota. There is no way to disable setquota
without recompiling rpc.rquotad.
I have made a fixed (and somewhat enhanced) package for my own machines. The
packages and patch are available from
It seems that I am talking only to myself here. Anyway, the exactly same
problems (including the setquota security hole) are still present in the
quota package of RedHat 7.3. These have been fixed a long time ago in
the original linuxquota package available from
Appologies, I've recently been assigned this package while I was engaged in the
advanced server and 7.2 alpha contracts so I've had zero time to look at buzilla
beyond my normal package scope.
Ok,.. it'll take me a few days to knock around this and it'll have to go through
QA as well. I'm not terribly sure is rawhide is still active or not but you
might see something there tomorrow morning (it updates nightly)
We are seeing an issue which might be related to this. We have a vanilla RH73
dual AMD box acting as an NFS server to various Suns and HPs over a gigabit
fiber NIC. When someone attempts to log into the HP, the HP attempts to check
quota, which causes the RH73 rpc.quotad daemon to die *immediately*. The HP
quota check eventually times out and the user can continue, but I'd like to fix
I'm wondering if rpc.quotad is crashing for reasons similar to what
email@example.com is seeing. I don't see anything suspicious
in /var/log/messages on the RH73 box. Any idea when something might be
available for RH73 to try?
I just double-checked our Sun. It doesn't check quota on rlogin, but
typing 'quota' also instantly kills the RH73 rpc.rquotad daemon:
[root@chilly root]# service nfs status
rpc.mountd (pid 5825) is running...
nfsd (pid 5837 5836 5835 5834 5833 5832 5831 5830) is running...
rpc.rquotad is stopped
Any change here?
*** Bug 9038 has been marked as a duplicate of this bug. ***
Better get all quota problems fixed at same errata.
This problem is fixed in quota-3.06-9.7