diff --git a/0006-nfs.conf-silence-include-error.patch b/0006-nfs.conf-silence-include-error.patch index 08a92fa..2327fc7 100644 --- a/0006-nfs.conf-silence-include-error.patch +++ b/0006-nfs.conf-silence-include-error.patch @@ -1,3 +1,12 @@ +config: silence include error. + +Including a non-existant file should not be an +error, and should not create a message. +We include /etc/nfs.conf.local just incase some +localization has been requested. + +Signed-off-by: NeilBrown + --- support/nfs/conffile.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/0007-statd-user-from-sm b/0007-statd-user-from-sm new file mode 100644 index 0000000..bd60df6 --- /dev/null +++ b/0007-statd-user-from-sm @@ -0,0 +1,45 @@ +statd: take user-id from /var/lib/nfs/sm + +Having /var/lib/nfs writeable by statd is not ideal +as there are files in there that statd doesn't need +to access. +Aftger dropping privs, statd and sm-notify only need to +access files in the directories sm and sm.bak. +So take the uid for these deamons from 'sm'. + +Signed-off-by: NeilBrown +--- + support/nsm/file.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +--- a/support/nsm/file.c ++++ b/support/nsm/file.c +@@ -388,23 +388,17 @@ nsm_drop_privileges(const int pidfd) + + (void)umask(S_IRWXO); + +- /* +- * XXX: If we can't stat dirname, or if dirname is owned by +- * root, we should use "statduser" instead, which is set up +- * by configure.ac. Nothing in nfs-utils seems to use +- * "statduser," though. +- */ +- if (lstat(nsm_base_dirname, &st) == -1) { +- xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname); +- return false; +- } +- + if (chdir(nsm_base_dirname) == -1) { + xlog(L_ERROR, "Failed to change working directory to %s: %m", + nsm_base_dirname); + return false; + } + ++ if (lstat(NSM_MONITOR_DIR, &st) == -1) { ++ xlog(L_ERROR, "Failed to stat %s/%s: %m", nsm_base_dirname, NSM_MONITOR_DIR); ++ return false; ++ } ++ + if (!prune_bounding_set()) + return false; + diff --git a/nfs-utils.changes b/nfs-utils.changes index e43f0b6..4f51759 100644 --- a/nfs-utils.changes +++ b/nfs-utils.changes @@ -2,9 +2,13 @@ Mon Sep 16 23:43:37 UTC 2019 - Neil Brown - Don't make /var/lib/nfs owned by statd. - Only sm sm.bak and state need to be accessible by - statd. Providing they get created, the parent + Only sm and sm.bak need to be accessible by + statd or sm-notify after they drop privs. + Providing they get created, the parent directory can be root-owned. +- 0007-statd-user-from-sm + Change rpc.statd and sm-notify to take uid from the sm + directory. (bsc#1150733 CVE-2019-3689) ------------------------------------------------------------------- diff --git a/nfs-utils.spec b/nfs-utils.spec index eb016f9..9fb2391 100644 --- a/nfs-utils.spec +++ b/nfs-utils.spec @@ -51,6 +51,7 @@ Patch3: 0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch Patch4: 0004-nfsidmap-honour-with-pluginpath-for-instalation.patch Patch5: 0005-nfs.conf-fail-to-disable-major-NFS-version-4-using-v.patch Patch6: 0006-nfs.conf-silence-include-error.patch +Patch7: 0007-statd-user-from-sm BuildRequires: e2fsprogs-devel BuildRequires: fedfs-utils-devel @@ -154,6 +155,7 @@ This package contains additional NFS documentation. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 cp %{SOURCE6} . @@ -220,9 +222,9 @@ chmod 644 %{buildroot}%{_sbindir}/{mountstats,nfsiostat} %service_add_pre auth-rpcgss-module.service nfs-idmapd.service nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service rpc-svcgssd.service %post -n nfs-client -chown statd:nogroup %{_localstatedir}/lib/nfs > /dev/null 2>&1 || : -for i in state sm sm.bak; do - chown -R statd %{_localstatedir}/lib/nfs/$i > /dev/null 2>&1 || : +chown root:root %{_localstatedir}/lib/nfs > /dev/null 2>&1 || : +for i in sm sm.bak; do + chown -R statd:nogroup %{_localstatedir}/lib/nfs/$i > /dev/null 2>&1 || : done ### migrate from /var/lock/subsys [ -d /run/nfs ] || mkdir /run/nfs @@ -349,7 +351,7 @@ fi %dir %{_localstatedir}/lib/nfs/v4recovery %attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm %attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm.bak -%attr(0700,statd,nogroup) %ghost %{_localstatedir}/lib/nfs/state +%ghost %{_localstatedir}/lib/nfs/state %files -n nfs-kernel-server %defattr(-,root,root)