- New upstream release 1.2.8 - mostly bugfixes, many to gssd.

No important new functionality
- Changes to ./configure command to remove warnings
- 8 more patches from upstream 'git' to fix non-trivial bugs
  including on CVE.

OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=87
This commit is contained in:
Neil Brown 2013-07-22 06:15:20 +00:00 committed by Git OBS Bridge
parent 5214231f27
commit 3ade29ac96
10 changed files with 408 additions and 7 deletions

View File

@ -0,0 +1,81 @@
From 23d3980b6cfea4e9056d9b7b81e48b4fefc645e0 Mon Sep 17 00:00:00 2001
From: NeilBrown <neilb@suse.de>
Date: Tue, 7 May 2013 11:46:18 -0400
Subject: [PATCH] mountd: Fix is_subdirectory again
The problem was that is_subdirectory() would also succeed if the two
directories were the same. This is needed for path_matches() which
needs to see if the child is same-or-descendant.
So this patch rearranges path_matches() to do the "are they the same"
test itself and only bother with is_subdirectory() if it they are not
the same.
So now is_subdirectory() can be strict, and so can be usable for
subexport(), which needs a strong 'in subdirectory - not the same' test.
Acked-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
utils/mountd/cache.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/utils/mountd/cache.c b/utils/mountd/cache.c
index 737927c..517aa62 100644
--- a/utils/mountd/cache.c
+++ b/utils/mountd/cache.c
@@ -347,20 +347,26 @@ static char *next_mnt(void **v, char *p)
static int is_subdirectory(char *child, char *parent)
{
+ /* Check is child is strictly a subdirectory of
+ * parent or a more distant descendant.
+ */
size_t l = strlen(parent);
- if (strcmp(parent, "/") == 0)
+ if (strcmp(parent, "/") == 0 && child[1] != 0)
return 1;
- return strcmp(child, parent) == 0
- || (strncmp(child, parent, l) == 0 && child[l] == '/');
+ return (strncmp(child, parent, l) == 0 && child[l] == '/');
}
static int path_matches(nfs_export *exp, char *path)
{
- if (exp->m_export.e_flags & NFSEXP_CROSSMOUNT)
- return is_subdirectory(path, exp->m_export.e_path);
- return strcmp(path, exp->m_export.e_path) == 0;
+ /* Does the path match the export? I.e. is it an
+ * exact match, or does the export have CROSSMOUNT, and path
+ * is a descendant?
+ */
+ return strcmp(path, exp->m_export.e_path) == 0
+ || ((exp->m_export.e_flags & NFSEXP_CROSSMOUNT)
+ && is_subdirectory(path, exp->m_export.e_path));
}
static int
@@ -369,15 +375,13 @@ export_matches(nfs_export *exp, char *dom, char *path, struct addrinfo *ai)
return path_matches(exp, path) && client_matches(exp, dom, ai);
}
-/* True iff e1 is a child of e2 and e2 has crossmnt set: */
+/* True iff e1 is a child of e2 (or descendant) and e2 has crossmnt set: */
static bool subexport(struct exportent *e1, struct exportent *e2)
{
char *p1 = e1->e_path, *p2 = e2->e_path;
- size_t l2 = strlen(p2);
return e2->e_flags & NFSEXP_CROSSMOUNT
- && strncmp(p1, p2, l2) == 0
- && p1[l2] == '/';
+ && is_subdirectory(p1, p2);
}
struct parsed_fsid {
--
1.8.3.1.487.g3e7a5b4

View File

@ -0,0 +1,102 @@
From c93e8d8eeafec3e3228e24dfebef113e0a79a788 Mon Sep 17 00:00:00 2001
From: "Signed-off-by: NeilBrown" <neilb@suse.de>
Date: Tue, 28 May 2013 12:59:22 -0400
Subject: [PATCH] gssd: Fix recent fix to Avoid DNS reverse resolution in gssd.
The final version for this fix that was committed inverted the test
so makes no change in the important cases.
The documentation didn't really help a naive user know when the new -D
flag should be used.
And the code (once fixed) avoided DNS resolution on non-qualified names too,
which probably isn't a good idea.
This patch fixes all three issues.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
utils/gssd/gssd.man | 27 ++++++++++++++++++++++-----
utils/gssd/gssd_proc.c | 18 ++++++++++--------
2 files changed, 32 insertions(+), 13 deletions(-)
diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
index 1df75c5..ac13fd4 100644
--- a/utils/gssd/gssd.man
+++ b/utils/gssd/gssd.man
@@ -195,11 +195,28 @@ option when starting
.BR rpc.gssd .
.SH OPTIONS
.TP
-.B -D
-DNS Reverse lookups are not used for determining the
-server names pass to GSSAPI. This option will reverses that and forces
-the use of DNS Reverse resolution of the server's IP address to
-retrieve the server name to use in GSAPI authentication.
+.B \-D
+The server name passed to GSSAPI for authentication is normally the
+name exactly as requested. e.g. for NFS
+it is the server name in the "servername:/path" mount request. Only if this
+servername appears to be an IP address (IPv4 or IPv6) or an
+unqualified name (no dots) will a reverse DNS lookup
+will be performed to get the canoncial server name.
+
+If
+.B \-D
+is present, a reverse DNS lookup will
+.I always
+be used, even if the server name looks like a canonical name. So it
+is needed if partially qualified, or non canonical names are regularly
+used.
+
+Using
+.B \-D
+can introduce a security vulnerability, so it is recommended that
+.B \-D
+not be used, and that canonical names always be used when requesting
+services.
.TP
.B -f
Runs
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
index 6cd4276..b7e2bbb 100644
--- a/utils/gssd/gssd_proc.c
+++ b/utils/gssd/gssd_proc.c
@@ -175,7 +175,6 @@ get_servername(const char *name, const struct sockaddr *sa, const char *addr)
char *hostname;
char hbuf[NI_MAXHOST];
unsigned char buf[sizeof(struct in6_addr)];
- int servername = 0;
if (avoid_dns) {
/*
@@ -183,15 +182,18 @@ get_servername(const char *name, const struct sockaddr *sa, const char *addr)
* If it is an IP address, do the DNS lookup otherwise
* skip the DNS lookup.
*/
- servername = 0;
- if (strchr(name, '.') && inet_pton(AF_INET, name, buf) == 1)
- servername = 1; /* IPv4 */
- else if (strchr(name, ':') && inet_pton(AF_INET6, name, buf) == 1)
- servername = 1; /* or IPv6 */
-
- if (servername) {
+ int is_fqdn = 1;
+ if (strchr(name, '.') == NULL)
+ is_fqdn = 0; /* local name */
+ else if (inet_pton(AF_INET, name, buf) == 1)
+ is_fqdn = 0; /* IPv4 address */
+ else if (inet_pton(AF_INET6, name, buf) == 1)
+ is_fqdn = 0; /* IPv6 addrss */
+
+ if (is_fqdn) {
return strdup(name);
}
+ /* Sorry, cannot avoid dns after all */
}
switch (sa->sa_family) {
--
1.8.3.1.487.g3e7a5b4

View File

@ -0,0 +1,45 @@
From a402f768db1dc6497cf7f592b33e142936897de2 Mon Sep 17 00:00:00 2001
From: Maximilian Wilhelm <max@rfc2324.org>
Date: Mon, 1 Jul 2013 11:58:13 -0400
Subject: [PATCH] Fix handling of preferred realm command line option.
The current implementation ignores any preferred realm specified on the
command line. Fix this behaviour and make sure the preferred realm is
used as first realm when trying to acquire a keytab entry
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Signed-off-by: Frederik Moellers <frederik.moellers@upb.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
utils/gssd/krb5_util.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 9ef80f0..abebdcd 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -852,11 +852,19 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname,
}
/*
- * Try the "appropriate" realm first, and if nothing found for that
- * realm, try the default realm (if it hasn't already been tried).
+ * Make sure the preferred_realm, which may have been explicitly set
+ * on the command line, is tried first. If nothing is found go on with
+ * the host and local default realm (if that hasn't already been tried).
*/
i = 0;
realm = realmnames[i];
+
+ if (strcmp (realm, preferred_realm) != 0) {
+ realm = preferred_realm;
+ /* resetting the realmnames index */
+ i = -1;
+ }
+
while (1) {
if (realm == NULL) {
tried_all = 1;
--
1.8.3.1.487.g3e7a5b4

View File

@ -0,0 +1,69 @@
From 94642a397d27ea0cfc6d798bc505482023eb5ec1 Mon Sep 17 00:00:00 2001
From: Weston Andros Adamson <dros@netapp.com>
Date: Mon, 1 Jul 2013 12:00:51 -0400
Subject: [PATCH] nfsiostat: restore output format
Recent changes to support python 3 changed the output of nfsiostat from:
read: ops/s kB/s kB/op retrans
avg RTT (ms) avg exe (ms)
48.094 2889.133 60.072 0 (0.0%)
177.160 184.833
...
to:
read:
ops/s kB/s kB/op retrans avg RTT (ms) avg exe
(ms)
0.000
0.000
0.000
0 (0.0%)
0.000
0.000
...
Signed-off-by: Weston Andros Adamson <dros@netapp.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
tools/nfs-iostat/nfs-iostat.py | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/tools/nfs-iostat/nfs-iostat.py b/tools/nfs-iostat/nfs-iostat.py
index dfbef87..c035537 100644
--- a/tools/nfs-iostat/nfs-iostat.py
+++ b/tools/nfs-iostat/nfs-iostat.py
@@ -353,14 +353,14 @@ class DeviceData:
exe_per_op = 0.0
op += ':'
- print('%s' % op.lower().ljust(15))
+ print('%s' % op.lower().ljust(15), end='')
print(' ops/s\t\t kB/s\t\t kB/op\t\tretrans\t\tavg RTT (ms)\tavg exe (ms)')
- print('\t\t%7.3f' % (ops / sample_time))
- print('\t%7.3f' % (kilobytes / sample_time))
- print('\t%7.3f' % kb_per_op)
- print(' %7d (%3.1f%%)' % (retrans, retrans_percent))
- print('\t%7.3f' % rtt_per_op)
+ print('\t\t%7.3f' % (ops / sample_time), end='')
+ print('\t%7.3f' % (kilobytes / sample_time), end='')
+ print('\t%7.3f' % kb_per_op, end='')
+ print(' %7d (%3.1f%%)' % (retrans, retrans_percent), end='')
+ print('\t%7.3f' % rtt_per_op, end='')
print('\t%7.3f' % exe_per_op)
def ops(self, sample_time):
@@ -392,7 +392,7 @@ class DeviceData:
print()
print(' op/s\t\trpc bklog')
- print('%7.2f' % (sends / sample_time))
+ print('%7.2f' % (sends / sample_time), end='')
print('\t%7.2f' % backlog)
if which == 0:
--
1.8.3.1.487.g3e7a5b4

View File

@ -0,0 +1,48 @@
From 05e6d39a988e76d5803f79018a9e40d435f6d2f7 Mon Sep 17 00:00:00 2001
From: NeilBrown <neilb@suse.de>
Date: Tue, 2 Jul 2013 08:27:41 -0400
Subject: [PATCH] gssd: don't give up on machine credential if hostname not
available.
krb5_util tries various different credential names in order to find
the machine credential, not all of them use the full host name of the
current host.
So if getting the full host name fails, don't give up completely,
still try the other options.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
utils/gssd/krb5_util.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index abebdcd..a6c7eb0 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -825,8 +825,10 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname,
myhostad[i+1] = 0;
retval = get_full_hostname(myhostname, myhostname, sizeof(myhostname));
- if (retval)
- goto out;
+ if (retval) {
+ /* Don't use myhostname */
+ myhostname[0] = 0;
+ }
code = krb5_get_default_realm(context, &default_realm);
if (code) {
@@ -891,6 +893,8 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname,
myhostad,
NULL);
} else {
+ if (!myhostname[0])
+ continue;
snprintf(spn, sizeof(spn), "%s/%s@%s",
svcnames[j], myhostname, realm);
code = krb5_build_principal_ext(context, &princ,
--
1.8.3.1.487.g3e7a5b4

View File

@ -0,0 +1,31 @@
From da05b199a60e8a8fa91d4d3734cbbe84b23cff69 Mon Sep 17 00:00:00 2001
From: Doug Nazar <nazard.michi@gmail.com>
Date: Tue, 2 Jul 2013 08:45:31 -0400
Subject: [PATCH] gssd: fixed typo in machine cred name.
Commit 1c787f14 [gssd: scan for DIR: ccaches, too] changed the default
prefix for the credential cache files. Update the check to ignore the
machine credential file when running with -n (root ignores machine
credentials).
Signed-off-by: Steve Dickson <steved@redhat.com>
---
utils/gssd/krb5_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index a6c7eb0..83b9651 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -231,7 +231,7 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
continue;
}
if (uid == 0 && !root_uses_machine_creds &&
- strstr(namelist[i]->d_name, "_machine_")) {
+ strstr(namelist[i]->d_name, "machine_")) {
printerr(3, "CC '%s' not available to root\n",
statname);
free(namelist[i]);
--
1.8.3.1.487.g3e7a5b4

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7ef8e0a8b22cd7ff33f3afd28e770d45643fae303468a180640c2967833fe75e
size 2902130

3
nfs-utils-1.2.8.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:62ec061e32283699646515f6383cb54d0d88fb223343cec940a2701560b8b404
size 763630

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Mon Jul 22 06:12:53 UTC 2013 - nfbrown@suse.com
- New upstream release 1.2.8 - mostly bugfixes, many to gssd.
No important new functionality
- Changes to ./configure command to remove warnings
- 8 more patches from upstream 'git' to fix non-trivial bugs
including on CVE.
-------------------------------------------------------------------
Mon May 13 15:32:55 UTC 2013 - coolo@suse.com

View File

@ -35,7 +35,7 @@ Url: http://kernel.org/pub/linux/utils/nfs-utils/
Summary: Support Utilities for Kernel nfsd
License: GPL-2.0+
Group: Productivity/Networking/NFS
Version: 1.2.7
Version: 1.2.8
Release: 0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: %fillup_prereq %insserv_prereq
@ -57,6 +57,18 @@ Source11: idmapd.conf
Source12: start-statd
Source13: nfs-utils.rpmlintrc
Patch0: nfs-utils-1.0.7-bind-syntax.patch
# PATCH-FIX-UPSTREAM 0001-mountd-Fix-is_subdirectory-again.patch upstream-bugfix nfbrown@suse.de
Patch1: 0001-mountd-Fix-is_subdirectory-again.patch
# PATCH-FIX-UPSTREAM 0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch upstream-bugfix nfbrown@suse.de
Patch2: 0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch
# PATCH-FIX-UPSTREAM 0003-Fix-handling-of-preferred-realm-command-line-option.patch upstream-bugfix nfbrown@suse.de
Patch3: 0003-Fix-handling-of-preferred-realm-command-line-option.patch
# PATCH-FIX-UPSTREAM 0004-nfsiostat-restore-output-format.patch upstream-bugfix nfbrown@suse.de
Patch4: 0004-nfsiostat-restore-output-format.patch
# PATCH-FIX-UPSTREAM 0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch upstream-bugfix nfbrown@suse.de
Patch5: 0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch
# PATCH-FIX-UPSTREAM 0006-gssd-fixed-typo-in-machine-cred-name.patch upstream-bugfix nfbrown@suse.de
Patch6: 0006-gssd-fixed-typo-in-machine-cred-name.patch
Suggests: python-base
%description
@ -107,21 +119,25 @@ This package contains additional NFS documentation.
%prep
%setup -q -n nfs-utils-%{version} -a 1
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
cp %{S:6} .
%build
rm -f configure; autoreconf -fi
CFLAGS="$RPM_OPT_FLAGS -fPIE -fno-strict-aliasing" LDFLAGS="-pie" ./configure \
--mandir=%{_mandir} \
--disable-rquotad \
--enable-nfsv4 \
--enable-gss \
--enable-ipv6 \
--enable-nfsdcltrack \
--enable-mount \
--enable-libmount-mount \
--enable-mountconfig \
--with-krb5=/usr/lib/mit
--enable-mountconfig
make
cd nfs
for i in *.html ; do