Checking the Disk Quota #2

Posted by & filed under , .

This is similar to the previous disk quota exploit I mentioned, except that this time an attacker can exploit the inode quota on the disk. This quota defines how many files user can use/store on a disk/partition. If there is no capping on this value, a user process can occupy all the inodes available on that partition by simply creating an empty file every iteration, thus preventing any other process that needs to create files on disk (e.g. pipes, temporary files etc) from doing so — leading to either crashes in the system processes or preventing these from working.

The code to exploit this is quite simple, as you might have guessed it: an infinite loop that simply creates an empty file on the disk this time — so at each iteration the system will lose one inode until there are no longer free inodes on the disk which will cause the system processes to crash or at least prevent them from working properly — such that the only thing you can really do is a hard reset. (Again, you won’t be able to log in either via the local console or remotely — or even kick off a reboot process — as the system will no longer be able to create any temporary files or write to the log file, or even worse, some of the daemon processes — e.g. ssh — will die.) Even worse, rebooting won’t work either as during start-up the system will not be able to create files on that partition!

We have chosen the /tmp directory here as typically anyone will have write access in this directory, and also this is the directory used by most of the system processes to write temporary files. A clever sysadmin, I guess, could either have created a different temp directory for users, on a different partition, where strict inodes quota rules apply, or mounted the /tmp dir on a partition where an inode quota is already in place for the system users. Also, if you are planning to check your system against this exploit, is also a good idea to check the partition that stores the user homes is not on the same partition as the /tmp directory, or that there is no other location where ordinary users can create files without having an inode quota.

Below is the code:

#include <stdlib.h>
#include <stdio.h>
/* We are going to write append a counter every iteration */
#define WRITE_FILE "/tmp/bigfile%l"
int main( int argc, char ** argv )
   char final_name[1024]; /* big enough to store a large filename */
   long counter = 0;
   while( 1 )
      /* generate the filename */
      sprintf( final_name, WRITE_FILE, counter );
      /* open file and simply close it*/
      FILE * fp = fopen( WRITE_FILE, "w" );
      if( !fp ) /* d'oh! */
         return 1;
      fclose( fp );

Remember that in order to prevent such an exploit on your machine you should set an inode quota for your users. Consult your man pages on how to do so.

Download the above source code here.

NOTE: This is an article from my old website, way before I restructured it. Since I see visitors going through search engines and requesting the old page, I decided to resurrect this, as it obviously presents a certain level of interest to users out there, so at least future searches will not get a simple 404 but get instead this page.