OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Flaw in Disk quota in Windows 2000
From: Frank Heyne (fhRCS.URZ.TU-DRESDEN.DE)
Date: Sat Mar 04 2000 - 05:30:16 CST

On 28 Feb 00, at 15:00, Dave Tarbatt - ACS wrote:

> On top of a few peculiarities there appears to be a bug
> which allows a user to exceed their disk quota by as much as they wish.

After some experiments I think I found the reason
for this behaviour:
There is a large flaw in the implementation of disk
quotas in W2K.

How is disk space used?
-----------------------
When you create a file, at least one cluster on disk
is used for this file.
Even when you create a file with a content of 0
bytes, a directory entry, a file header and a
security descriptor are created for this file, using
some disk space.

What is the reason for using disk quotas?
-----------------------------------------
The only reason I can imagine is to stop users from
occupy too much disk space. Disk space used by the
current user is not available for other users.

How should it be done?
----------------------
Obviously, the only way to do this, is decreasing
the space available for the user every time he
occupies a new chunk on disk by the size of this
chunk. When this is done correctly, the sum of the
bytes used by the current user and the free bytes
available for all users should always result in the
same number (as long as only this one user is using
the machine).

How is it done?
---------------
The current implementation works as follows:
When the user creates a new file, only the size of
the data stream of this file is subtracted from the
number of bytes available for the user!
File header, security descriptor, unused space of
the disk sector behind the data - all these bytes
are lost for other users, but are not taken into
account for the current user!

So we have the result Dave Tarbatt reported here -
despite disk quotas every user can fill up the disk
with files of 0 bytes content.
There is the bug, not in the possibility to fill up
these files with some hundred bytes after they are
created! What is filled up here is the space in the
sectors reserved for these files - it is lost for
other users anyway, even when not filled by the
curent user!

Testing
-------
There is an API function GetDiskFreeSpaceEx which
reports
- the total space available for the current user
- the free space available for the current user
- the free space available for all users

I made the tests on a 2 GB partition with clusters
of 2048 bytes. There were already files deleted by
that user.
What I did repeatedly was creating a file with 100
bytes data and running GetDiskFreeSpaceEx afterwards.
The results:

1. Normally the free space available for the current
user did not decrease at all after creating a new
file. But sometimes it decreased by 2048 bytes.

2. The free space available for all users sometimes
did not decrease, but sometimes it decreased by
4096, 8192 or 16348 bytes when a single file with
100 bytes data was created.

3. The free space available for the current user was
decreasing significantly slower than the free space
available for all users, though no other user was
logged on at the test machine.

I did not test how disk quota products of third
parties work, but the way Microsoft's quota manager
works is just broken.

Frank Heyne