nfs-utils/0002-mount-call-setgroups-before-setuid.patch

From 5b7da9d70261583e67e114b36cb19973de15606d Mon Sep 17 00:00:00 2001
From: NeilBrown <neilb@suse.com>
Date: Wed, 8 Feb 2017 08:22:36 +1100
Subject: [PATCH] mount: call setgroups() before setuid()

It is generally wise to call setgroups() (and setgid()) before calling
setuid() to ensure no unexpected permission leaks happen.
SUSE's build system check all binaries for conformance with this
and generates a warning for mountd.

As we set setting the uid to 0, there is no risk that the group list
will provide extra permissions, so there is no real risk here.
But it is nice to silence warnings, and including a setgroups()
call is probably a good practice to encourage.

Signed-off-by: NeilBrown <neilb@suse.com>
---
 utils/mount/network.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/utils/mount/network.c b/utils/mount/network.c
index d1c8fec75174..281e9354a7fa 100644
--- a/utils/mount/network.c
+++ b/utils/mount/network.c
@@ -33,6 +33,7 @@
 #include <errno.h>
 #include <netdb.h>
 #include <time.h>
+#include <grp.h>
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -804,6 +805,7 @@ int start_statd(void)
 			pid_t pid = fork();
 			switch (pid) {
 			case 0: /* child */
+				setgroups(0, NULL);
 				setgid(0);
 				setuid(0);
 				execle(START_STATD, START_STATD, NULL, envp);
-- 
2.11.0
- update upstream version from 1.3.4 to 2.1.1 The significant update is that configuration can now be read from a central /etc/nfs.conf file, and it can include other files such as /etc/sysconfig/nfs This means that the old nfs-config.service systemd unit is no longer needed. - /etc/nfs.conf file created to import all sysconfig settings except _OPTIONS directly into running code. - dropins created to pass _OPTIONS sysconfig setting to the various daemons. - various specfile improvements, such as using "-D" in "install" commands, and adding "verify_permissions". - "xtab" has not been needed for years and has now been remove. - sysconfig.nfs updated, particular the ServiceRestart declarations have been tuned for systemd units. - 0003-nfs-server-generator-handle-noauto-mounts-correctly.patch Fix the nfs-server-generator so that mounts marked "noauto" are not automatically mounted when NFS exported. (bsc#1019211) - 0001-conffile-ignore-empty-environment-variables.patch 0002-mount-call-setgroups-before-setuid.patch Other minor fixes found during testing. - REMOVED 0001-Make-location-of-nfs-utils_env.sh-configurable.patch now included upstream OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=177 2017-02-08 03:43:23 +01:00			`From 5b7da9d70261583e67e114b36cb19973de15606d Mon Sep 17 00:00:00 2001`
			`From: NeilBrown <neilb@suse.com>`
			`Date: Wed, 8 Feb 2017 08:22:36 +1100`
			`Subject: [PATCH] mount: call setgroups() before setuid()`

			`It is generally wise to call setgroups() (and setgid()) before calling`
			`setuid() to ensure no unexpected permission leaks happen.`
			`SUSE's build system check all binaries for conformance with this`
			`and generates a warning for mountd.`

			`As we set setting the uid to 0, there is no risk that the group list`
			`will provide extra permissions, so there is no real risk here.`
			`But it is nice to silence warnings, and including a setgroups()`
			`call is probably a good practice to encourage.`

			`Signed-off-by: NeilBrown <neilb@suse.com>`
			`---`
			`utils/mount/network.c \| 2 ++`
			`1 file changed, 2 insertions(+)`

			`diff --git a/utils/mount/network.c b/utils/mount/network.c`
			`index d1c8fec75174..281e9354a7fa 100644`
			`--- a/utils/mount/network.c`
			`+++ b/utils/mount/network.c`
			`@@ -33,6 +33,7 @@`
			`#include <errno.h>`
			`#include <netdb.h>`
			`#include <time.h>`
			`+#include <grp.h>`

			`#include <sys/types.h>`
			`#include <sys/socket.h>`
			`@@ -804,6 +805,7 @@ int start_statd(void)`
			`pid_t pid = fork();`
			`switch (pid) {`
			`case 0: /* child */`
			`+ setgroups(0, NULL);`
			`setgid(0);`
			`setuid(0);`
			`execle(START_STATD, START_STATD, NULL, envp);`
			`--`
			`2.11.0`