search

pterodactyl / panel

Pterodactyl® is a free, open-source game server management panel built with PHP, React, and Go. Designed with security in mind, Pterodactyl runs all game servers in isolated Docker containers while exposing a beautiful and intuitive UI to end users.
https://pterodactyl.io
Other
6.65k stars 1.68k forks source link

Disk space attack. 1TB+ file created #4554

Closed BenasPaulikas closed 5 months ago

BenasPaulikas commented 1 year ago

Current Behavior

Limit server disk space(1GB for example) Somehow 800GB file was able to get through (I'm not sure if it was created through running egg or through sftp)

/var/lib/pterodactyl/volumes/*/libraries # ls -la *.log
-rw-r--r-- 1 pterodactyl pterodactyl 858993459200 Nov 13 21:29 *.log

File is so big that head -10 or tail doesn't work on that file.

Expected Behavior

Disk space limit would be enforced.

Steps to Reproduce

None yet. I just discovered this file. On 2 different nodes. This should be huge security issue as it can take as much space as it wants.

Panel Version

1.10.4

Wings Version

1.6.4

Games and/or Eggs Affected

This shouldn't be service related

Docker Image

No response

Error Logs

No response

Is there an existing issue for this?

BenasPaulikas commented 1 year ago

I also have to mention I have disk_check_interval set to high value. However default is 150. I'm also curious why there was no disk limits on container itself?

matthewpi commented 1 year ago

I also have to mention I have disk_check_interval set to high value. However default is 150. I'm also curious why there was no disk limits on container itself?

Containers don't provide us disk limiting functionality.

BenasPaulikas commented 1 year ago

@matthewpi understood. Could you help to understand few more things.

  1. Does writing file through website or sftp check available file space ? Or it's checking only when disk_check_interval is done?
  2. Most likely what happened was some bogous executable wrote file to one file as fast as possible. https://github.com/pterodactyl/panel/issues/3547 This might have helped.
  3. Any suggestions how to improve this ?
  4. Any way to force disk_check_interval for specific server? This would recalculate space and would disallow starting of the server.
FrankSealover commented 1 year ago

A good alternative (more of a stop-gap) to this is creating disk images and placing servers on there. Have fun incorporating that with your install, and I'm not sure how you would go about this at scale. It's just one idea.

dd if=/dev/zero of=/path/to/disk/image.img bs=1M count=16384 (This will create a 16GiB file) mkfs.ext4 /path/to/disk/image.img

You should then be able to then mount it as a loopback device with something like this:

mount -o loop /var/lib/pterodactyl/volumes/<uuid> /path/to/disk/image.img

This will permanently enforce 16GiB. Anything that exceeds that disk image limit will not work.

FoksVHox commented 1 year ago

How about the latest version of the Panel and the software, are they also affected by this? Because the wings version that you use is not supported, and it might be due to an version issue since the panel version doesn't seem to be compatible with wings 1.6.x.