From 3df1d2bdfa668060b0a95d8ad01e097c8b18d49c961d32fe9f59ae3ce26cd4cb Mon Sep 17 00:00:00 2001
From: Neil Brown <nfbrown@suse.com>
Date: Wed, 20 Nov 2019 23:59:04 +0000
Subject: [PATCH] - nfs-utils.spec - don't chown when not needed.   Only chown
 directories in /var/lib/nfs to statd   if they are currently owned by root.  
 The chown is needed for some upgrades, but if the   dirs are already owned by
 statd, an vulnerability in   statd could be escalated to root.  
 (bsc#1157321)

OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=210
---
 nfs-utils.changes | 11 +++++++++++
 nfs-utils.spec    | 10 +++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/nfs-utils.changes b/nfs-utils.changes
index 7984807..b209f2d 100644
--- a/nfs-utils.changes
+++ b/nfs-utils.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Nov 20 23:55:31 UTC 2019 - Neil Brown <nfbrown@suse.com>
+
+- nfs-utils.spec - don't chown when not needed.
+  Only chown directories in /var/lib/nfs to statd
+  if they are currently owned by root.
+  The chown is needed for some upgrades, but if the
+  dirs are already owned by statd, an vulnerability in
+  statd could be escalated to root.
+  (bsc#1157321)
+
 -------------------------------------------------------------------
 Mon Sep 23 01:52:29 UTC 2019 - Neil Brown <nfbrown@suse.com>
 
diff --git a/nfs-utils.spec b/nfs-utils.spec
index e877007..ae5d9b0 100644
--- a/nfs-utils.spec
+++ b/nfs-utils.spec
@@ -224,9 +224,17 @@ chmod 644 %{buildroot}%{_sbindir}/{mountstats,nfsiostat}
 %service_add_pre auth-rpcgss-module.service nfs-idmapd.service nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service rpc-svcgssd.service
 
 %post -n nfs-client
+# lib/nfs must be root-owned. 
+# sm and sm.back and contents should be statd:nogroup,
+# but only chown if the dirs are currently root-owned.
+# This is needed for some upgraded, but chown is best avoided
+# when not necessary
 chown root:root %{_localstatedir}/lib/nfs > /dev/null 2>&1 || :
 for i in sm sm.bak; do
-	chown -R statd:nogroup %{_localstatedir}/lib/nfs/$i > /dev/null 2>&1 || :
+    p=%{_localstatedir}/lib/nfs/$i
+    if [ -d "$b" -a -n "`chown 2> /dev/null -c --from root statd:nogroup $p`" ]; then
+	chown -R statd:nogroup $p > /dev/null 2>&1 || :
+    fi
 done
 ### migrate from /var/lock/subsys
 [ -d /run/nfs ] || mkdir /run/nfs