Only sm and sm.bak need to be accessible by
statd or sm-notify after they drop privs. Providing they get created, the parent - 0007-statd-user-from-sm Change rpc.statd and sm-notify to take uid from the sm directory. OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=207
This commit is contained in:
parent
2c42cd5b0d
commit
0138b6c771
@ -1,3 +1,12 @@
|
|||||||
|
config: silence include error.
|
||||||
|
|
||||||
|
Including a non-existant file should not be an
|
||||||
|
error, and should not create a message.
|
||||||
|
We include /etc/nfs.conf.local just incase some
|
||||||
|
localization has been requested.
|
||||||
|
|
||||||
|
Signed-off-by: NeilBrown <neilb@suse.com>
|
||||||
|
|
||||||
---
|
---
|
||||||
support/nfs/conffile.c | 7 ++++---
|
support/nfs/conffile.c | 7 ++++---
|
||||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||||
|
45
0007-statd-user-from-sm
Normal file
45
0007-statd-user-from-sm
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
statd: take user-id from /var/lib/nfs/sm
|
||||||
|
|
||||||
|
Having /var/lib/nfs writeable by statd is not ideal
|
||||||
|
as there are files in there that statd doesn't need
|
||||||
|
to access.
|
||||||
|
Aftger dropping privs, statd and sm-notify only need to
|
||||||
|
access files in the directories sm and sm.bak.
|
||||||
|
So take the uid for these deamons from 'sm'.
|
||||||
|
|
||||||
|
Signed-off-by: NeilBrown <neilb@suse.com>
|
||||||
|
---
|
||||||
|
support/nsm/file.c | 16 +++++-----------
|
||||||
|
1 file changed, 5 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
--- a/support/nsm/file.c
|
||||||
|
+++ b/support/nsm/file.c
|
||||||
|
@@ -388,23 +388,17 @@ nsm_drop_privileges(const int pidfd)
|
||||||
|
|
||||||
|
(void)umask(S_IRWXO);
|
||||||
|
|
||||||
|
- /*
|
||||||
|
- * XXX: If we can't stat dirname, or if dirname is owned by
|
||||||
|
- * root, we should use "statduser" instead, which is set up
|
||||||
|
- * by configure.ac. Nothing in nfs-utils seems to use
|
||||||
|
- * "statduser," though.
|
||||||
|
- */
|
||||||
|
- if (lstat(nsm_base_dirname, &st) == -1) {
|
||||||
|
- xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname);
|
||||||
|
- return false;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
if (chdir(nsm_base_dirname) == -1) {
|
||||||
|
xlog(L_ERROR, "Failed to change working directory to %s: %m",
|
||||||
|
nsm_base_dirname);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (lstat(NSM_MONITOR_DIR, &st) == -1) {
|
||||||
|
+ xlog(L_ERROR, "Failed to stat %s/%s: %m", nsm_base_dirname, NSM_MONITOR_DIR);
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (!prune_bounding_set())
|
||||||
|
return false;
|
||||||
|
|
@ -2,9 +2,13 @@
|
|||||||
Mon Sep 16 23:43:37 UTC 2019 - Neil Brown <nfbrown@suse.com>
|
Mon Sep 16 23:43:37 UTC 2019 - Neil Brown <nfbrown@suse.com>
|
||||||
|
|
||||||
- Don't make /var/lib/nfs owned by statd.
|
- Don't make /var/lib/nfs owned by statd.
|
||||||
Only sm sm.bak and state need to be accessible by
|
Only sm and sm.bak need to be accessible by
|
||||||
statd. Providing they get created, the parent
|
statd or sm-notify after they drop privs.
|
||||||
|
Providing they get created, the parent
|
||||||
directory can be root-owned.
|
directory can be root-owned.
|
||||||
|
- 0007-statd-user-from-sm
|
||||||
|
Change rpc.statd and sm-notify to take uid from the sm
|
||||||
|
directory.
|
||||||
(bsc#1150733 CVE-2019-3689)
|
(bsc#1150733 CVE-2019-3689)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
|
@ -51,6 +51,7 @@ Patch3: 0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch
|
|||||||
Patch4: 0004-nfsidmap-honour-with-pluginpath-for-instalation.patch
|
Patch4: 0004-nfsidmap-honour-with-pluginpath-for-instalation.patch
|
||||||
Patch5: 0005-nfs.conf-fail-to-disable-major-NFS-version-4-using-v.patch
|
Patch5: 0005-nfs.conf-fail-to-disable-major-NFS-version-4-using-v.patch
|
||||||
Patch6: 0006-nfs.conf-silence-include-error.patch
|
Patch6: 0006-nfs.conf-silence-include-error.patch
|
||||||
|
Patch7: 0007-statd-user-from-sm
|
||||||
|
|
||||||
BuildRequires: e2fsprogs-devel
|
BuildRequires: e2fsprogs-devel
|
||||||
BuildRequires: fedfs-utils-devel
|
BuildRequires: fedfs-utils-devel
|
||||||
@ -154,6 +155,7 @@ This package contains additional NFS documentation.
|
|||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
|
%patch7 -p1
|
||||||
|
|
||||||
cp %{SOURCE6} .
|
cp %{SOURCE6} .
|
||||||
|
|
||||||
@ -220,9 +222,9 @@ chmod 644 %{buildroot}%{_sbindir}/{mountstats,nfsiostat}
|
|||||||
%service_add_pre auth-rpcgss-module.service nfs-idmapd.service nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service rpc-svcgssd.service
|
%service_add_pre auth-rpcgss-module.service nfs-idmapd.service nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service rpc-svcgssd.service
|
||||||
|
|
||||||
%post -n nfs-client
|
%post -n nfs-client
|
||||||
chown statd:nogroup %{_localstatedir}/lib/nfs > /dev/null 2>&1 || :
|
chown root:root %{_localstatedir}/lib/nfs > /dev/null 2>&1 || :
|
||||||
for i in state sm sm.bak; do
|
for i in sm sm.bak; do
|
||||||
chown -R statd %{_localstatedir}/lib/nfs/$i > /dev/null 2>&1 || :
|
chown -R statd:nogroup %{_localstatedir}/lib/nfs/$i > /dev/null 2>&1 || :
|
||||||
done
|
done
|
||||||
### migrate from /var/lock/subsys
|
### migrate from /var/lock/subsys
|
||||||
[ -d /run/nfs ] || mkdir /run/nfs
|
[ -d /run/nfs ] || mkdir /run/nfs
|
||||||
@ -349,7 +351,7 @@ fi
|
|||||||
%dir %{_localstatedir}/lib/nfs/v4recovery
|
%dir %{_localstatedir}/lib/nfs/v4recovery
|
||||||
%attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm
|
%attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm
|
||||||
%attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm.bak
|
%attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm.bak
|
||||||
%attr(0700,statd,nogroup) %ghost %{_localstatedir}/lib/nfs/state
|
%ghost %{_localstatedir}/lib/nfs/state
|
||||||
|
|
||||||
%files -n nfs-kernel-server
|
%files -n nfs-kernel-server
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
|
Loading…
Reference in New Issue
Block a user