pool/nfs-utils
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f3563f6114
nfs-utils/0002-mount-call-setgroups-before-setuid.patch
Neil Brown 5073990325 - update upstream version from 1.3.4 to 2.1.1 
The significant update is that configuration can
  now be read from a central /etc/nfs.conf file, and
  it can include other files such as /etc/sysconfig/nfs
  This means that the old nfs-config.service systemd
  unit is no longer needed.
- /etc/nfs.conf file created to import all sysconfig
  settings except *_OPTIONS directly into running code.
- dropins created to pass *_OPTIONS sysconfig setting to
  the various daemons.
- various specfile improvements, such as using "-D" in
  "install" commands, and adding "verify_permissions".
- "xtab" has not been needed for years and has now been remove.
- sysconfig.nfs updated, particular the ServiceRestart
  declarations have been tuned for systemd units.
- 0003-nfs-server-generator-handle-noauto-mounts-correctly.patch
  Fix the nfs-server-generator so that mounts marked "noauto"
  are not automatically mounted when NFS exported.
  (bsc#1019211)
- 0001-conffile-ignore-empty-environment-variables.patch
  0002-mount-call-setgroups-before-setuid.patch
  Other minor fixes found during testing.
- REMOVED 0001-Make-location-of-nfs-utils_env.sh-configurable.patch
  now included upstream

OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=177
2017-02-08 02:43:23 +00:00

44 lines
1.3 KiB
Diff
Raw Blame History

From 5b7da9d70261583e67e114b36cb19973de15606d Mon Sep 17 00:00:00 2001
From: NeilBrown <neilb@suse.com>
Date: Wed, 8 Feb 2017 08:22:36 +1100
Subject: [PATCH] mount: call setgroups() before setuid()
It is generally wise to call setgroups() (and setgid()) before calling
setuid() to ensure no unexpected permission leaks happen.
SUSE's build system check all binaries for conformance with this
and generates a warning for mountd.
As we set setting the uid to 0, there is no risk that the group list
will provide extra permissions, so there is no real risk here.
But it is nice to silence warnings, and including a setgroups()
call is probably a good practice to encourage.
Signed-off-by: NeilBrown <neilb@suse.com>
---
utils/mount/network.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/utils/mount/network.c b/utils/mount/network.c
index d1c8fec75174..281e9354a7fa 100644
--- a/utils/mount/network.c
+++ b/utils/mount/network.c
@@ -33,6 +33,7 @@
#include <errno.h>
#include <netdb.h>
#include <time.h>
+#include <grp.h>
#include <sys/types.h>
#include <sys/socket.h>
@@ -804,6 +805,7 @@ int start_statd(void)
pid_t pid = fork();
switch (pid) {
case 0: /* child */
+ setgroups(0, NULL);
setgid(0);
setuid(0);
execle(START_STATD, START_STATD, NULL, envp);
--
2.11.0
Reference in New Issue View Git Blame Copy Permalink