Only sm and sm.bak need to be accessible by

statd or sm-notify after they drop privs. Providing they get created, the parent - 0007-statd-user-from-sm Change rpc.statd and sm-notify to take uid from the sm directory. OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=207
2019-09-17 01:17:20 +00:00 · 2019-09-17 01:17:20 +00:00 · 0138b6c771
commit 0138b6c771
parent 2c42cd5b0d
4 changed files with 66 additions and 6 deletions
--- a/0006-nfs.conf-silence-include-error.patch
+++ b/0006-nfs.conf-silence-include-error.patch
@ -1,3 +1,12 @@
+config: silence include error.
+
+Including a non-existant file should not be an
+error, and should not create a message.
+We include /etc/nfs.conf.local just incase some
+localization has been requested.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+
 ---
 support/nfs/conffile.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
--- a/45
+++ b/45
@ -0,0 +1,45 @@
+statd: take user-id from /var/lib/nfs/sm
+
+Having /var/lib/nfs writeable by statd is not ideal
+as there are files in there that statd doesn't need
+to access.
+Aftger dropping privs, statd and sm-notify only need to
+access files in the directories sm and sm.bak.
+So take the uid for these deamons from 'sm'.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+---
+ support/nsm/file.c |   16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+--- a/support/nsm/file.c
+++ b/support/nsm/file.c
+@@ -388,23 +388,17 @@ nsm_drop_privileges(const int pidfd)
+ 
+ 	(void)umask(S_IRWXO);
+ 
+-	/*
+-	 * XXX: If we can't stat dirname, or if dirname is owned by
+-	 *      root, we should use "statduser" instead, which is set up
+-	 *      by configure.ac.  Nothing in nfs-utils seems to use
+-	 *      "statduser," though.
+-	 */
+-	if (lstat(nsm_base_dirname, &st) == -1) {
+-		xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname);
+-		return false;
+-	}
+-
+ 	if (chdir(nsm_base_dirname) == -1) {
+ 		xlog(L_ERROR, "Failed to change working directory to %s: %m",
+ 				nsm_base_dirname);
+ 		return false;
+ 	}
+ 
+	if (lstat(NSM_MONITOR_DIR, &st) == -1) {
+		xlog(L_ERROR, "Failed to stat %s/%s: %m", nsm_base_dirname, NSM_MONITOR_DIR);
+		return false;
+	}
+
+ 	if (!prune_bounding_set())
+ 		return false;
+ 
--- a/nfs-utils.changes
+++ b/nfs-utils.changes
@ -2,9 +2,13 @@
 Mon Sep 16 23:43:37 UTC 2019 - Neil Brown <nfbrown@suse.com>

 - Don't make /var/lib/nfs owned by statd.
-  Only sm sm.bak and state need to be accessible by
-  statd.  Providing they get created, the parent
+  Only sm and sm.bak need to be accessible by
+  statd or sm-notify after they drop privs.
+  Providing they get created, the parent
  directory can be root-owned.
+- 0007-statd-user-from-sm
+  Change rpc.statd and sm-notify to take uid from the sm
+  directory.
  (bsc#1150733 CVE-2019-3689)

 -------------------------------------------------------------------
--- a/nfs-utils.spec
+++ b/nfs-utils.spec
@ -51,6 +51,7 @@ Patch3:         0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch
 Patch4:         0004-nfsidmap-honour-with-pluginpath-for-instalation.patch
 Patch5:         0005-nfs.conf-fail-to-disable-major-NFS-version-4-using-v.patch
 Patch6:         0006-nfs.conf-silence-include-error.patch
+Patch7:         0007-statd-user-from-sm

 BuildRequires:  e2fsprogs-devel
 BuildRequires:  fedfs-utils-devel
@ -154,6 +155,7 @@ This package contains additional NFS documentation.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1

 cp %{SOURCE6} .

@ -220,9 +222,9 @@ chmod 644 %{buildroot}%{_sbindir}/{mountstats,nfsiostat}
 %service_add_pre auth-rpcgss-module.service nfs-idmapd.service nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service rpc-svcgssd.service

 %post -n nfs-client
-chown statd:nogroup %{_localstatedir}/lib/nfs > /dev/null 2>&1 || :
-for i in state sm sm.bak; do
-	chown -R statd %{_localstatedir}/lib/nfs/$i > /dev/null 2>&1 || :
+chown root:root %{_localstatedir}/lib/nfs > /dev/null 2>&1 || :
+for i in sm sm.bak; do
+	chown -R statd:nogroup %{_localstatedir}/lib/nfs/$i > /dev/null 2>&1 || :
 done
 ### migrate from /var/lock/subsys
 [ -d /run/nfs ] || mkdir /run/nfs
@ -349,7 +351,7 @@ fi
 %dir %{_localstatedir}/lib/nfs/v4recovery
 %attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm
 %attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm.bak
-%attr(0700,statd,nogroup) %ghost %{_localstatedir}/lib/nfs/state
+%ghost %{_localstatedir}/lib/nfs/state

 %files -n nfs-kernel-server
 %defattr(-,root,root)