Possible loophole with dd command in multi-user Linux servers
I didn't think this would be a big deal, but I noticed that several remote logging Linux servers permit users to have an unlimited disk quota, which can easily be exploited using a command like:
~$dd if=/dev/zero of=null.bin
It doesn't require the user to 'sudo'. I checked it out in one of the remote access servers that need to be logged in to using Telnet, and I executed this command and was surprised to see it being permitted and having a free and unchecked run. Effectively, /dev/zero is a virtual disk that can generate a series of 'zero' bytes, and the 'dd' command will copy from the input file (i.e. /dev/zero) to the output file (null.bin here) and will not terminate until it reaches the End of File of /dev/zero. And because I didn't give it any count or bytes limit (which can be done using the bs=xxx and count=xx parameter), and since it never reaches the end when reading from /dev/zero, it will effectively create a massively huge file within seconds, and fill up an entire normal-sized hard-disk in about a minute and a half! I tried it out and in less than 7 seconds, I had created a 962 MB null.bin in my home folder. And then I tried on a virtual machine (Ubuntu 8.04 Hardy Heron running in VMWare on Windows) I had created, with a fixed disk-space of 3 GB, and in about 10-15 seconds my 'dd' command died with a "No space left on disk" error message.
I'm not sure if its really a loophole or not, but it certainly made my home directory expand to 1.2 GB unchecked within seconds in a remote telnet login to a Redhat Server. If it is a loophole, I think it could be solved by assigning a strict disk-quota to each user, encompassing the total areas where he can write to.
~Shashank
PS: "The Dilbert Future" is a really great book! :-) Just picked it up from the library, and the sections I've gone through so far haven't disappointed me yet!