diff --git a/0006-conffile-allow-optional-include-files.patch b/0006-conffile-allow-optional-include-files.patch
new file mode 100644
index 0000000..7f25208
--- /dev/null
+++ b/0006-conffile-allow-optional-include-files.patch
@@ -0,0 +1,61 @@
+From f608217f6136c0e9fedc7bc728e4ba13ed295c4c Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Mon, 23 Sep 2019 11:20:39 +1000
+Subject: [PATCH] conffile: allow optional include files.
+
+If nfs.conf contains, for example
+  include = /etc/nfs.conf.local
+and /etc/nfs.conf.local doesn't exist, then a warning is given.
+Sometimes it is useful to have an optional include file which is
+included if present, but for which an absence doesn't give a
+warning.
+
+Systemd has a convention that a hyphen at the start of
+an include file name marks it as optional, so add this convention
+to nfs-utils.
+So
+  include = -/etc/nfs.conf.local
+will not give a warning if the file doesn't exist.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+---
+ support/nfs/conffile.c |   13 ++++++++++---
+ systemd/nfs.conf.man   |    3 +++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+--- a/support/nfs/conffile.c
++++ b/support/nfs/conffile.c
+@@ -413,11 +413,18 @@ conf_parse_line(int trans, char *line, c
+ 
+ 	if (strcasecmp(line, "include")==0) {
+ 		/* load and parse subordinate config files */
++		_Bool optional = false;
++
++		if (val && *val == '-') {
++			optional = true;
++			val++;
++		}
++
+ 		relpath = relative_path(filename, val);
+ 		if (relpath == NULL) {
+-			xlog_warn("config error at %s:%d: "
+-				"error loading included config",
+-				  filename, lineno);
++			if (!optional)
++				xlog_warn("config error at %s:%d: error loading included config",
++					  filename, lineno);
+ 			return;
+ 		}
+ 
+--- a/systemd/nfs.conf.man
++++ b/systemd/nfs.conf.man
+@@ -65,6 +65,9 @@ section headers, then new sections will
+ included file appeared in place of the
+ .B include
+ line.
++If the file name starts with a hyphen then that is stripped off
++before the file is opened, and if file doesn't exist no warning is
++given.  Normally a non-existent include file generates a warning.
+ .PP
+ Lookup of section and value names is case-insensitive.
+ 
diff --git a/0007-statd-user-from-sm b/0007-statd-user-from-sm
new file mode 100644
index 0000000..bd60df6
--- /dev/null
+++ b/0007-statd-user-from-sm
@@ -0,0 +1,45 @@
+statd: take user-id from /var/lib/nfs/sm
+
+Having /var/lib/nfs writeable by statd is not ideal
+as there are files in there that statd doesn't need
+to access.
+Aftger dropping privs, statd and sm-notify only need to
+access files in the directories sm and sm.bak.
+So take the uid for these deamons from 'sm'.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+---
+ support/nsm/file.c |   16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+--- a/support/nsm/file.c
++++ b/support/nsm/file.c
+@@ -388,23 +388,17 @@ nsm_drop_privileges(const int pidfd)
+ 
+ 	(void)umask(S_IRWXO);
+ 
+-	/*
+-	 * XXX: If we can't stat dirname, or if dirname is owned by
+-	 *      root, we should use "statduser" instead, which is set up
+-	 *      by configure.ac.  Nothing in nfs-utils seems to use
+-	 *      "statduser," though.
+-	 */
+-	if (lstat(nsm_base_dirname, &st) == -1) {
+-		xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname);
+-		return false;
+-	}
+-
+ 	if (chdir(nsm_base_dirname) == -1) {
+ 		xlog(L_ERROR, "Failed to change working directory to %s: %m",
+ 				nsm_base_dirname);
+ 		return false;
+ 	}
+ 
++	if (lstat(NSM_MONITOR_DIR, &st) == -1) {
++		xlog(L_ERROR, "Failed to stat %s/%s: %m", nsm_base_dirname, NSM_MONITOR_DIR);
++		return false;
++	}
++
+ 	if (!prune_bounding_set())
+ 		return false;
+ 
diff --git a/0008-mountd-Initialize-logging-early.patch b/0008-mountd-Initialize-logging-early.patch
new file mode 100644
index 0000000..0121956
--- /dev/null
+++ b/0008-mountd-Initialize-logging-early.patch
@@ -0,0 +1,61 @@
+From 30961f1bf9be6117aa825e7bfc8b327c93d3aacd Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Mon, 23 Sep 2019 11:10:31 +1000
+Subject: [PATCH] mountd: Initialize logging early.
+
+Reading the config file can generate log messages,
+so we should initialize logging before reading the
+config file.
+
+If any log message are generated, syslog will leave
+a file descriptor open (a socket), so calling
+closeall(3) after this can cause problem.
+Before this we initialize login we don't know if
+Foreground (-F) has been selected, so closeall()
+cannot be conditional on that.
+
+closeall() isn't needed - daemon are almost always run
+from a management daemon like systemd, and they are given
+a clean environment.  It is really best if they just take
+what they are given.
+
+So remove the closeall() call.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+---
+ utils/mountd/mountd.c |    9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/utils/mountd/mountd.c
++++ b/utils/mountd/mountd.c
+@@ -679,6 +679,9 @@ main(int argc, char **argv)
+ 	else
+ 		progname = argv[0];
+ 
++	/* Initialize logging. */
++	xlog_open(progname);
++
+ 	conf_init_file(NFS_CONFFILE);
+ 	xlog_from_conffile("mountd");
+ 	manage_gids = conf_get_bool("mountd", "manage-gids", manage_gids);
+@@ -818,9 +821,7 @@ main(int argc, char **argv)
+ 			}
+ 		}
+ 	}
+-	/* Initialize logging. */
+ 	if (!foreground) xlog_stderr(0);
+-	xlog_open(progname);
+ 
+ 	sa.sa_handler = SIG_IGN;
+ 	sa.sa_flags = 0;
+@@ -832,10 +833,6 @@ main(int argc, char **argv)
+ 	/* WARNING: the following works on Linux and SysV, but not BSD! */
+ 	sigaction(SIGCHLD, &sa, NULL);
+ 
+-	/* Daemons should close all extra filehandles ... *before* RPC init. */
+-	if (!foreground)
+-		closeall(3);
+-
+ 	cache_open();
+ 
+ 	unregister_services();
diff --git a/nfs-utils.changes b/nfs-utils.changes
index 2556587..7984807 100644
--- a/nfs-utils.changes
+++ b/nfs-utils.changes
@@ -1,3 +1,34 @@
+-------------------------------------------------------------------
+Mon Sep 23 01:52:29 UTC 2019 - Neil Brown <nfbrown@suse.com>
+
+- Delete  0006-nfs.conf-silence-include-error.patch
+  replaced with better version
+- 0006-conffile-allow-optional-include-files.patch
+   Avoid error if /etc/nfs.conf.local doesn't exist
+  (bsc#1151044 bsc#1150807)
+- 0008-mountd-Initialize-logging-early.patch
+ Don't close the loging socket - it causes problems.
+  (bsc#1151044 bsc#1150807)
+
+-------------------------------------------------------------------
+Mon Sep 16 23:43:37 UTC 2019 - Neil Brown <nfbrown@suse.com>
+
+- Don't make /var/lib/nfs owned by statd.
+  Only sm and sm.bak need to be accessible by
+  statd or sm-notify after they drop privs.
+  Providing they get created, the parent
+  directory can be root-owned.
+- 0007-statd-user-from-sm
+  Change rpc.statd and sm-notify to take uid from the sm
+  directory.
+  (bsc#1150733 CVE-2019-3689)
+
+-------------------------------------------------------------------
+Mon Sep 16 05:56:12 UTC 2019 - Neil Brown <nfbrown@suse.com>
+
+- 0006-nfs.conf-silence-include-error.patch
+ Avoid an unhelpful warning (bsc#1150807)
+
 -------------------------------------------------------------------
 Mon Sep  2 05:25:07 UTC 2019 - Neil Brown <nfbrown@suse.com>
 
diff --git a/nfs-utils.spec b/nfs-utils.spec
index 1c54c96..e877007 100644
--- a/nfs-utils.spec
+++ b/nfs-utils.spec
@@ -50,6 +50,9 @@ Patch2:         0002-Let-systemd-know-when-rpc.statd-is-needed.patch
 Patch3:         0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch
 Patch4:         0004-nfsidmap-honour-with-pluginpath-for-instalation.patch
 Patch5:         0005-nfs.conf-fail-to-disable-major-NFS-version-4-using-v.patch
+Patch6:         0006-conffile-allow-optional-include-files.patch
+Patch7:         0007-statd-user-from-sm
+Patch8:         0008-mountd-Initialize-logging-early.patch
 
 BuildRequires:  e2fsprogs-devel
 BuildRequires:  fedfs-utils-devel
@@ -152,6 +155,9 @@ This package contains additional NFS documentation.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
 
 cp %{SOURCE6} .
 
@@ -218,9 +224,9 @@ chmod 644 %{buildroot}%{_sbindir}/{mountstats,nfsiostat}
 %service_add_pre auth-rpcgss-module.service nfs-idmapd.service nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service rpc-svcgssd.service
 
 %post -n nfs-client
-chown statd:nogroup %{_localstatedir}/lib/nfs > /dev/null 2>&1 || :
-for i in state sm sm.bak; do
-	chown -R statd %{_localstatedir}/lib/nfs/$i > /dev/null 2>&1 || :
+chown root:root %{_localstatedir}/lib/nfs > /dev/null 2>&1 || :
+for i in sm sm.bak; do
+	chown -R statd:nogroup %{_localstatedir}/lib/nfs/$i > /dev/null 2>&1 || :
 done
 ### migrate from /var/lock/subsys
 [ -d /run/nfs ] || mkdir /run/nfs
@@ -342,12 +348,12 @@ fi
 %{_mandir}/man8/blkmapd.8%{ext_man}
 %{_mandir}/man8/rpc.svcgssd.8%{ext_man}
 %{_fillupdir}/sysconfig.nfs
-%attr(0711,statd,nogroup) %dir %{_localstatedir}/lib/nfs
+%dir %{_localstatedir}/lib/nfs
 %dir %{_localstatedir}/lib/nfs/rpc_pipefs
 %dir %{_localstatedir}/lib/nfs/v4recovery
 %attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm
 %attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm.bak
-%attr(0700,statd,nogroup) %ghost %{_localstatedir}/lib/nfs/state
+%ghost %{_localstatedir}/lib/nfs/state
 
 %files -n nfs-kernel-server
 %defattr(-,root,root)
diff --git a/nfs.conf b/nfs.conf
index c707927..b3fd8fe 100644
--- a/nfs.conf
+++ b/nfs.conf
@@ -9,7 +9,7 @@
 
 [environment]
 include = /etc/sysconfig/nfs
-include = /etc/nfs.conf.local
+include = -/etc/nfs.conf.local
 [general]
  pipefs-directory=$RPC_PIPEFS_DIR
 #