From 3ade29ac969506e771eedd085e8c7973d3e33e56a3120cb52a19c6f295d91225 Mon Sep 17 00:00:00 2001 From: Neil Brown Date: Mon, 22 Jul 2013 06:15:20 +0000 Subject: [PATCH] - New upstream release 1.2.8 - mostly bugfixes, many to gssd. No important new functionality - Changes to ./configure command to remove warnings - 8 more patches from upstream 'git' to fix non-trivial bugs including on CVE. OBS-URL: https://build.opensuse.org/package/show/Base:System/nfs-utils?expand=0&rev=87 --- 0001-mountd-Fix-is_subdirectory-again.patch | 81 ++++++++++++++ ...fix-to-Avoid-DNS-reverse-resolution-.patch | 102 ++++++++++++++++++ ...-preferred-realm-command-line-option.patch | 45 ++++++++ 0004-nfsiostat-restore-output-format.patch | 69 ++++++++++++ ...up-on-machine-credential-if-hostname.patch | 48 +++++++++ ...gssd-fixed-typo-in-machine-cred-name.patch | 31 ++++++ nfs-utils-1.2.7.tar.bz2 | 3 - nfs-utils-1.2.8.tar.bz2 | 3 + nfs-utils.changes | 9 ++ nfs-utils.spec | 24 ++++- 10 files changed, 408 insertions(+), 7 deletions(-) create mode 100644 0001-mountd-Fix-is_subdirectory-again.patch create mode 100644 0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch create mode 100644 0003-Fix-handling-of-preferred-realm-command-line-option.patch create mode 100644 0004-nfsiostat-restore-output-format.patch create mode 100644 0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch create mode 100644 0006-gssd-fixed-typo-in-machine-cred-name.patch delete mode 100644 nfs-utils-1.2.7.tar.bz2 create mode 100644 nfs-utils-1.2.8.tar.bz2 diff --git a/0001-mountd-Fix-is_subdirectory-again.patch b/0001-mountd-Fix-is_subdirectory-again.patch new file mode 100644 index 0000000..54c0317 --- /dev/null +++ b/0001-mountd-Fix-is_subdirectory-again.patch @@ -0,0 +1,81 @@ +From 23d3980b6cfea4e9056d9b7b81e48b4fefc645e0 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Tue, 7 May 2013 11:46:18 -0400 +Subject: [PATCH] mountd: Fix is_subdirectory again + +The problem was that is_subdirectory() would also succeed if the two +directories were the same. This is needed for path_matches() which +needs to see if the child is same-or-descendant. + +So this patch rearranges path_matches() to do the "are they the same" +test itself and only bother with is_subdirectory() if it they are not +the same. + +So now is_subdirectory() can be strict, and so can be usable for +subexport(), which needs a strong 'in subdirectory - not the same' test. + +Acked-by: J. Bruce Fields +Signed-off-by: NeilBrown +Signed-off-by: Steve Dickson +--- + utils/mountd/cache.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/utils/mountd/cache.c b/utils/mountd/cache.c +index 737927c..517aa62 100644 +--- a/utils/mountd/cache.c ++++ b/utils/mountd/cache.c +@@ -347,20 +347,26 @@ static char *next_mnt(void **v, char *p) + + static int is_subdirectory(char *child, char *parent) + { ++ /* Check is child is strictly a subdirectory of ++ * parent or a more distant descendant. ++ */ + size_t l = strlen(parent); + +- if (strcmp(parent, "/") == 0) ++ if (strcmp(parent, "/") == 0 && child[1] != 0) + return 1; + +- return strcmp(child, parent) == 0 +- || (strncmp(child, parent, l) == 0 && child[l] == '/'); ++ return (strncmp(child, parent, l) == 0 && child[l] == '/'); + } + + static int path_matches(nfs_export *exp, char *path) + { +- if (exp->m_export.e_flags & NFSEXP_CROSSMOUNT) +- return is_subdirectory(path, exp->m_export.e_path); +- return strcmp(path, exp->m_export.e_path) == 0; ++ /* Does the path match the export? I.e. is it an ++ * exact match, or does the export have CROSSMOUNT, and path ++ * is a descendant? ++ */ ++ return strcmp(path, exp->m_export.e_path) == 0 ++ || ((exp->m_export.e_flags & NFSEXP_CROSSMOUNT) ++ && is_subdirectory(path, exp->m_export.e_path)); + } + + static int +@@ -369,15 +375,13 @@ export_matches(nfs_export *exp, char *dom, char *path, struct addrinfo *ai) + return path_matches(exp, path) && client_matches(exp, dom, ai); + } + +-/* True iff e1 is a child of e2 and e2 has crossmnt set: */ ++/* True iff e1 is a child of e2 (or descendant) and e2 has crossmnt set: */ + static bool subexport(struct exportent *e1, struct exportent *e2) + { + char *p1 = e1->e_path, *p2 = e2->e_path; +- size_t l2 = strlen(p2); + + return e2->e_flags & NFSEXP_CROSSMOUNT +- && strncmp(p1, p2, l2) == 0 +- && p1[l2] == '/'; ++ && is_subdirectory(p1, p2); + } + + struct parsed_fsid { +-- +1.8.3.1.487.g3e7a5b4 + diff --git a/0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch b/0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch new file mode 100644 index 0000000..70d6f90 --- /dev/null +++ b/0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch @@ -0,0 +1,102 @@ +From c93e8d8eeafec3e3228e24dfebef113e0a79a788 Mon Sep 17 00:00:00 2001 +From: "Signed-off-by: NeilBrown" +Date: Tue, 28 May 2013 12:59:22 -0400 +Subject: [PATCH] gssd: Fix recent fix to Avoid DNS reverse resolution in gssd. + +The final version for this fix that was committed inverted the test +so makes no change in the important cases. + +The documentation didn't really help a naive user know when the new -D +flag should be used. + +And the code (once fixed) avoided DNS resolution on non-qualified names too, +which probably isn't a good idea. + +This patch fixes all three issues. + +Signed-off-by: NeilBrown +Signed-off-by: Steve Dickson +--- + utils/gssd/gssd.man | 27 ++++++++++++++++++++++----- + utils/gssd/gssd_proc.c | 18 ++++++++++-------- + 2 files changed, 32 insertions(+), 13 deletions(-) + +diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man +index 1df75c5..ac13fd4 100644 +--- a/utils/gssd/gssd.man ++++ b/utils/gssd/gssd.man +@@ -195,11 +195,28 @@ option when starting + .BR rpc.gssd . + .SH OPTIONS + .TP +-.B -D +-DNS Reverse lookups are not used for determining the +-server names pass to GSSAPI. This option will reverses that and forces +-the use of DNS Reverse resolution of the server's IP address to +-retrieve the server name to use in GSAPI authentication. ++.B \-D ++The server name passed to GSSAPI for authentication is normally the ++name exactly as requested. e.g. for NFS ++it is the server name in the "servername:/path" mount request. Only if this ++servername appears to be an IP address (IPv4 or IPv6) or an ++unqualified name (no dots) will a reverse DNS lookup ++will be performed to get the canoncial server name. ++ ++If ++.B \-D ++is present, a reverse DNS lookup will ++.I always ++be used, even if the server name looks like a canonical name. So it ++is needed if partially qualified, or non canonical names are regularly ++used. ++ ++Using ++.B \-D ++can introduce a security vulnerability, so it is recommended that ++.B \-D ++not be used, and that canonical names always be used when requesting ++services. + .TP + .B -f + Runs +diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c +index 6cd4276..b7e2bbb 100644 +--- a/utils/gssd/gssd_proc.c ++++ b/utils/gssd/gssd_proc.c +@@ -175,7 +175,6 @@ get_servername(const char *name, const struct sockaddr *sa, const char *addr) + char *hostname; + char hbuf[NI_MAXHOST]; + unsigned char buf[sizeof(struct in6_addr)]; +- int servername = 0; + + if (avoid_dns) { + /* +@@ -183,15 +182,18 @@ get_servername(const char *name, const struct sockaddr *sa, const char *addr) + * If it is an IP address, do the DNS lookup otherwise + * skip the DNS lookup. + */ +- servername = 0; +- if (strchr(name, '.') && inet_pton(AF_INET, name, buf) == 1) +- servername = 1; /* IPv4 */ +- else if (strchr(name, ':') && inet_pton(AF_INET6, name, buf) == 1) +- servername = 1; /* or IPv6 */ +- +- if (servername) { ++ int is_fqdn = 1; ++ if (strchr(name, '.') == NULL) ++ is_fqdn = 0; /* local name */ ++ else if (inet_pton(AF_INET, name, buf) == 1) ++ is_fqdn = 0; /* IPv4 address */ ++ else if (inet_pton(AF_INET6, name, buf) == 1) ++ is_fqdn = 0; /* IPv6 addrss */ ++ ++ if (is_fqdn) { + return strdup(name); + } ++ /* Sorry, cannot avoid dns after all */ + } + + switch (sa->sa_family) { +-- +1.8.3.1.487.g3e7a5b4 + diff --git a/0003-Fix-handling-of-preferred-realm-command-line-option.patch b/0003-Fix-handling-of-preferred-realm-command-line-option.patch new file mode 100644 index 0000000..07b90ff --- /dev/null +++ b/0003-Fix-handling-of-preferred-realm-command-line-option.patch @@ -0,0 +1,45 @@ +From a402f768db1dc6497cf7f592b33e142936897de2 Mon Sep 17 00:00:00 2001 +From: Maximilian Wilhelm +Date: Mon, 1 Jul 2013 11:58:13 -0400 +Subject: [PATCH] Fix handling of preferred realm command line option. + +The current implementation ignores any preferred realm specified on the +command line. Fix this behaviour and make sure the preferred realm is +used as first realm when trying to acquire a keytab entry + +Signed-off-by: Maximilian Wilhelm +Signed-off-by: Frederik Moellers +Signed-off-by: Steve Dickson +--- + utils/gssd/krb5_util.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c +index 9ef80f0..abebdcd 100644 +--- a/utils/gssd/krb5_util.c ++++ b/utils/gssd/krb5_util.c +@@ -852,11 +852,19 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname, + } + + /* +- * Try the "appropriate" realm first, and if nothing found for that +- * realm, try the default realm (if it hasn't already been tried). ++ * Make sure the preferred_realm, which may have been explicitly set ++ * on the command line, is tried first. If nothing is found go on with ++ * the host and local default realm (if that hasn't already been tried). + */ + i = 0; + realm = realmnames[i]; ++ ++ if (strcmp (realm, preferred_realm) != 0) { ++ realm = preferred_realm; ++ /* resetting the realmnames index */ ++ i = -1; ++ } ++ + while (1) { + if (realm == NULL) { + tried_all = 1; +-- +1.8.3.1.487.g3e7a5b4 + diff --git a/0004-nfsiostat-restore-output-format.patch b/0004-nfsiostat-restore-output-format.patch new file mode 100644 index 0000000..51ef2bd --- /dev/null +++ b/0004-nfsiostat-restore-output-format.patch @@ -0,0 +1,69 @@ +From 94642a397d27ea0cfc6d798bc505482023eb5ec1 Mon Sep 17 00:00:00 2001 +From: Weston Andros Adamson +Date: Mon, 1 Jul 2013 12:00:51 -0400 +Subject: [PATCH] nfsiostat: restore output format + +Recent changes to support python 3 changed the output of nfsiostat from: + +read: ops/s kB/s kB/op retrans +avg RTT (ms) avg exe (ms) + 48.094 2889.133 60.072 0 (0.0%) +177.160 184.833 +... + +to: + +read: + ops/s kB/s kB/op retrans avg RTT (ms) avg exe +(ms) + 0.000 + 0.000 + 0.000 + 0 (0.0%) + 0.000 + 0.000 +... + +Signed-off-by: Weston Andros Adamson +Signed-off-by: Steve Dickson +--- + tools/nfs-iostat/nfs-iostat.py | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/tools/nfs-iostat/nfs-iostat.py b/tools/nfs-iostat/nfs-iostat.py +index dfbef87..c035537 100644 +--- a/tools/nfs-iostat/nfs-iostat.py ++++ b/tools/nfs-iostat/nfs-iostat.py +@@ -353,14 +353,14 @@ class DeviceData: + exe_per_op = 0.0 + + op += ':' +- print('%s' % op.lower().ljust(15)) ++ print('%s' % op.lower().ljust(15), end='') + print(' ops/s\t\t kB/s\t\t kB/op\t\tretrans\t\tavg RTT (ms)\tavg exe (ms)') + +- print('\t\t%7.3f' % (ops / sample_time)) +- print('\t%7.3f' % (kilobytes / sample_time)) +- print('\t%7.3f' % kb_per_op) +- print(' %7d (%3.1f%%)' % (retrans, retrans_percent)) +- print('\t%7.3f' % rtt_per_op) ++ print('\t\t%7.3f' % (ops / sample_time), end='') ++ print('\t%7.3f' % (kilobytes / sample_time), end='') ++ print('\t%7.3f' % kb_per_op, end='') ++ print(' %7d (%3.1f%%)' % (retrans, retrans_percent), end='') ++ print('\t%7.3f' % rtt_per_op, end='') + print('\t%7.3f' % exe_per_op) + + def ops(self, sample_time): +@@ -392,7 +392,7 @@ class DeviceData: + print() + + print(' op/s\t\trpc bklog') +- print('%7.2f' % (sends / sample_time)) ++ print('%7.2f' % (sends / sample_time), end='') + print('\t%7.2f' % backlog) + + if which == 0: +-- +1.8.3.1.487.g3e7a5b4 + diff --git a/0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch b/0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch new file mode 100644 index 0000000..d693431 --- /dev/null +++ b/0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch @@ -0,0 +1,48 @@ +From 05e6d39a988e76d5803f79018a9e40d435f6d2f7 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Tue, 2 Jul 2013 08:27:41 -0400 +Subject: [PATCH] gssd: don't give up on machine credential if hostname not + available. + +krb5_util tries various different credential names in order to find +the machine credential, not all of them use the full host name of the +current host. + +So if getting the full host name fails, don't give up completely, +still try the other options. + +Signed-off-by: NeilBrown +Signed-off-by: Steve Dickson +--- + utils/gssd/krb5_util.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c +index abebdcd..a6c7eb0 100644 +--- a/utils/gssd/krb5_util.c ++++ b/utils/gssd/krb5_util.c +@@ -825,8 +825,10 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname, + myhostad[i+1] = 0; + + retval = get_full_hostname(myhostname, myhostname, sizeof(myhostname)); +- if (retval) +- goto out; ++ if (retval) { ++ /* Don't use myhostname */ ++ myhostname[0] = 0; ++ } + + code = krb5_get_default_realm(context, &default_realm); + if (code) { +@@ -891,6 +893,8 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname, + myhostad, + NULL); + } else { ++ if (!myhostname[0]) ++ continue; + snprintf(spn, sizeof(spn), "%s/%s@%s", + svcnames[j], myhostname, realm); + code = krb5_build_principal_ext(context, &princ, +-- +1.8.3.1.487.g3e7a5b4 + diff --git a/0006-gssd-fixed-typo-in-machine-cred-name.patch b/0006-gssd-fixed-typo-in-machine-cred-name.patch new file mode 100644 index 0000000..c421348 --- /dev/null +++ b/0006-gssd-fixed-typo-in-machine-cred-name.patch @@ -0,0 +1,31 @@ +From da05b199a60e8a8fa91d4d3734cbbe84b23cff69 Mon Sep 17 00:00:00 2001 +From: Doug Nazar +Date: Tue, 2 Jul 2013 08:45:31 -0400 +Subject: [PATCH] gssd: fixed typo in machine cred name. + +Commit 1c787f14 [gssd: scan for DIR: ccaches, too] changed the default +prefix for the credential cache files. Update the check to ignore the +machine credential file when running with -n (root ignores machine +credentials). + +Signed-off-by: Steve Dickson +--- + utils/gssd/krb5_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c +index a6c7eb0..83b9651 100644 +--- a/utils/gssd/krb5_util.c ++++ b/utils/gssd/krb5_util.c +@@ -231,7 +231,7 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, + continue; + } + if (uid == 0 && !root_uses_machine_creds && +- strstr(namelist[i]->d_name, "_machine_")) { ++ strstr(namelist[i]->d_name, "machine_")) { + printerr(3, "CC '%s' not available to root\n", + statname); + free(namelist[i]); +-- +1.8.3.1.487.g3e7a5b4 + diff --git a/nfs-utils-1.2.7.tar.bz2 b/nfs-utils-1.2.7.tar.bz2 deleted file mode 100644 index 071c8fa..0000000 --- a/nfs-utils-1.2.7.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7ef8e0a8b22cd7ff33f3afd28e770d45643fae303468a180640c2967833fe75e -size 2902130 diff --git a/nfs-utils-1.2.8.tar.bz2 b/nfs-utils-1.2.8.tar.bz2 new file mode 100644 index 0000000..7b4e1fb --- /dev/null +++ b/nfs-utils-1.2.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:62ec061e32283699646515f6383cb54d0d88fb223343cec940a2701560b8b404 +size 763630 diff --git a/nfs-utils.changes b/nfs-utils.changes index 3c9b934..c7f47fb 100644 --- a/nfs-utils.changes +++ b/nfs-utils.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Jul 22 06:12:53 UTC 2013 - nfbrown@suse.com + +- New upstream release 1.2.8 - mostly bugfixes, many to gssd. + No important new functionality +- Changes to ./configure command to remove warnings +- 8 more patches from upstream 'git' to fix non-trivial bugs + including on CVE. + ------------------------------------------------------------------- Mon May 13 15:32:55 UTC 2013 - coolo@suse.com diff --git a/nfs-utils.spec b/nfs-utils.spec index a097b83..3447a55 100644 --- a/nfs-utils.spec +++ b/nfs-utils.spec @@ -35,7 +35,7 @@ Url: http://kernel.org/pub/linux/utils/nfs-utils/ Summary: Support Utilities for Kernel nfsd License: GPL-2.0+ Group: Productivity/Networking/NFS -Version: 1.2.7 +Version: 1.2.8 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: %fillup_prereq %insserv_prereq @@ -57,6 +57,18 @@ Source11: idmapd.conf Source12: start-statd Source13: nfs-utils.rpmlintrc Patch0: nfs-utils-1.0.7-bind-syntax.patch +# PATCH-FIX-UPSTREAM 0001-mountd-Fix-is_subdirectory-again.patch upstream-bugfix nfbrown@suse.de +Patch1: 0001-mountd-Fix-is_subdirectory-again.patch +# PATCH-FIX-UPSTREAM 0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch upstream-bugfix nfbrown@suse.de +Patch2: 0002-gssd-Fix-recent-fix-to-Avoid-DNS-reverse-resolution-.patch +# PATCH-FIX-UPSTREAM 0003-Fix-handling-of-preferred-realm-command-line-option.patch upstream-bugfix nfbrown@suse.de +Patch3: 0003-Fix-handling-of-preferred-realm-command-line-option.patch +# PATCH-FIX-UPSTREAM 0004-nfsiostat-restore-output-format.patch upstream-bugfix nfbrown@suse.de +Patch4: 0004-nfsiostat-restore-output-format.patch +# PATCH-FIX-UPSTREAM 0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch upstream-bugfix nfbrown@suse.de +Patch5: 0005-gssd-don-t-give-up-on-machine-credential-if-hostname.patch +# PATCH-FIX-UPSTREAM 0006-gssd-fixed-typo-in-machine-cred-name.patch upstream-bugfix nfbrown@suse.de +Patch6: 0006-gssd-fixed-typo-in-machine-cred-name.patch Suggests: python-base %description @@ -107,21 +119,25 @@ This package contains additional NFS documentation. %prep %setup -q -n nfs-utils-%{version} -a 1 %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 cp %{S:6} . %build rm -f configure; autoreconf -fi CFLAGS="$RPM_OPT_FLAGS -fPIE -fno-strict-aliasing" LDFLAGS="-pie" ./configure \ --mandir=%{_mandir} \ - --disable-rquotad \ --enable-nfsv4 \ --enable-gss \ --enable-ipv6 \ --enable-nfsdcltrack \ --enable-mount \ --enable-libmount-mount \ - --enable-mountconfig \ - --with-krb5=/usr/lib/mit + --enable-mountconfig make cd nfs for i in *.html ; do