- Don't make /var/lib/nfs owned by statd.

Only sm sm.bak and state need to be accessible by statd. Providing they get created, the parent directory can be root-owned. (bsc#1150733 CVE-2019-3689) OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=206
2019-09-16 23:45:23 +00:00 · 2019-09-16 23:45:23 +00:00 · 2c42cd5b0d
commit 2c42cd5b0d
parent 9571d78718
2 changed files with 10 additions and 1 deletions
--- a/nfs-utils.changes
+++ b/nfs-utils.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Sep 16 23:43:37 UTC 2019 - Neil Brown <nfbrown@suse.com>
+
+- Don't make /var/lib/nfs owned by statd.
+  Only sm sm.bak and state need to be accessible by
+  statd.  Providing they get created, the parent
+  directory can be root-owned.
+  (bsc#1150733 CVE-2019-3689)
+
 -------------------------------------------------------------------
 Mon Sep 16 05:56:12 UTC 2019 - Neil Brown <nfbrown@suse.com>

--- a/nfs-utils.spec
+++ b/nfs-utils.spec
@ -344,7 +344,7 @@ fi
 %{_mandir}/man8/blkmapd.8%{ext_man}
 %{_mandir}/man8/rpc.svcgssd.8%{ext_man}
 %{_fillupdir}/sysconfig.nfs
-%attr(0711,statd,nogroup) %dir %{_localstatedir}/lib/nfs
+%dir %{_localstatedir}/lib/nfs
 %dir %{_localstatedir}/lib/nfs/rpc_pipefs
 %dir %{_localstatedir}/lib/nfs/v4recovery
 %attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm