[Bug] Change password in overquota

[IPaddress]

Software
DirectAdmin Version: 1.40.3
Exim Version: 4.76
Linux Centos 5.6 x86_64

I found a critical bug when you try to change a password of an user with overquota (over used disk space).

DirectAdmin will try to modify the file in /home/user1/.shadow but the file is left empty because it can not be modified (the modification is rejected by the overquota status)

This generates an important issue that allows the smtp authentication with random password for that system user because exim uses /home/user1/.shadow for password validation and when this file is empty exim accept the login with any password

I think that this is an important issue, but I can't know if it affect all DirectAdmins or only to me...

Anyone can confirm the bug?

 

[DirectAdmin Support]

Hello,

The file is owned by the User, so it seems quite plausible.
The catch and confusing part is that DA is setting the file while running as root, so it should be able to bypass the quotas, and write without any issues.
This may be a OS specific issue where, because the file is owned by the User, running as root has no impact and the quotas trump root (which sounds odd and new to me).
If that's the case, we may need to physically chown the .shadow file to root first, set the password, and then chown it back.
I'd prefer not to do this if it's not required.

Can anyone confirm the above behavior (quotas trump root)? It doesn't sound right to me.

John

 

[zEitEr]

Hello,

Yes, I do confirm that on CentOS 5.8.
What if you

1. try to create /home/username/.shadow.temp
2. chown the temp file, and if it succeeded, then
3. move it to /home/username/.shadow

You can't chown file from root to username when the user is overquota:

[root@server testuser]# cat /etc/redhat-release
CentOS release 5.8 (Final)
[root@server testuser]# LANG=C
[root@server testuser]# chown testuser:mail .shadow-bak
chown: changing ownership of `.shadow-bak': Disk quota exceeded
[root@server testuser]# quota -u testuser
Disk quotas for user testuser (uid 902):
     Filesystem  blocks   quota   limit   grace   files   quota   limit   grace
     /dev/simfs   82116*  51200   56320    none      26       0       0
[root@server testuser]#

 

[DirectAdmin Support]

Hmm... alright, thanks.

What I can do, is have it run normally as it is right now, then after the process, DA will read the .shadow, and if it isn't what we set it to be, DA can shut off the quotas, set it again, and turn them back on.
Seems rather extreme, but might be the only option. The quota off/on method would only happen if the current method failed.
If anyone can think of a cleaner method, please let me know But the quota off/on won't be difficult to do.. it's just a rather ugly solution.

John

 

[zEitEr]

I hardly could imagine why would anybody want to change a password for over-quoted account. Only one situation comes to my mind is to suspend the account. As with suspending such an account we get /home/username/.shadow emptied. And as soon as we unsuspend the account we still get the empty file. In such a situation, disabling quotes for the account might be not so ugly as you could think of it, John.

 

[DirectAdmin Support]

Fix added.
http://www.directadmin.com/features.php?id=1320

John

 

[zEitEr]

Thanks John.

But it works here:

[root@server2 testuser2]#
[root@server2 testuser2]# quota -u testuser2
Disk quotas for user testuser2 (uid 508):
     Filesystem  blocks   quota   limit   grace   files   quota   limit   grace
       /dev/md5   82104*  51200   56320   7days      23       0       0
[root@server2 testuser2]# chown testuser2:mail .shadow-bak
[root@server2 testuser2]# ls -la
total 44
drwx--x---  5 testuser2 access    4096 Mar 16 15:31 .
drwx--x--x 12 root      root      4096 Mar 16 15:30 ..
-rw-r--r--  1 testuser2 testuser2   33 Mar 16 15:30 .bash_logout
-rw-r--r--  1 testuser2 testuser2  176 Mar 16 15:30 .bash_profile
-rw-r--r--  1 testuser2 testuser2  124 Mar 16 15:30 .bashrc
drwx--x--x  3 testuser2 testuser2 4096 Mar 16 15:30 domains
drwxrwx---  3 testuser2 mail      4096 Mar 16 15:30 imap
lrwxrwxrwx  1 testuser2 testuser2   37 Mar 16 15:30 public_html -> ./domains/testuser2.local/public_html
-rw-r-----  1 testuser2 mail        34 Mar 16 15:30 .shadow
-rw-r-----  1 testuser2 mail        34 Mar 16 15:31 .shadow-bak
drwxrwx--x  2 testuser2 mail      4096 Mar 16 15:30 .spamassassin

On suspend/unsuspend the file .shadow doesn't get emptied.

/dev/md5 on /home type ext3 (rw,nosuid,nodev,noatime,usrquota,grpquota)