I had merged, but not pushed this. Sorry about that.
It is now pushed. Bruce On Mon, Sep 17, 2018 at 9:34 PM, ChenQi <[email protected]> wrote: > ping > > > On 09/13/2018 06:15 PM, Chen Qi wrote: >> >> Backport patches to fix the following CVE. >> >> CVE: CVE-2018-1088 >> >> Signed-off-by: Chen Qi <[email protected]> >> --- >> ...age-Prevent-mounting-shared-storage-from-.patch | 70 ++++++ >> ...auth-add-option-for-strict-authentication.patch | 280 >> +++++++++++++++++++++ >> recipes-extended/glusterfs/glusterfs.inc | 2 + >> 3 files changed, 352 insertions(+) >> create mode 100644 >> recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch >> create mode 100644 >> recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch >> >> diff --git >> a/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch >> b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch >> new file mode 100644 >> index 0000000..0e24c56 >> --- /dev/null >> +++ >> b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch >> @@ -0,0 +1,70 @@ >> +From d1936056d77abcfda14386235a88ed553341a429 Mon Sep 17 00:00:00 2001 >> +From: Mohammed Rafi KC <[email protected]> >> +Date: Mon, 26 Mar 2018 20:27:34 +0530 >> +Subject: [PATCH 1/3] shared storage: Prevent mounting shared storage from >> + non-trusted client >> + >> +gluster shared storage is a volume used for internal storage for >> +various features including ganesha, geo-rep, snapshot. >> + >> +So this volume should not be exposed to the client, as it is >> +a special volume for internal use. >> + >> +This fix wont't generate non trusted volfile for shared storage volume. >> + >> +Change-Id: I8ffe30ae99ec05196d75466210b84db311611a4c >> +fixes: bz#1568844 >> +BUG: 1568844 >> +Signed-off-by: Mohammed Rafi KC <[email protected]> >> + >> +Upstream-Status: Backport >> +Fix CVE-2018-1088 >> + >> +Signed-off-by: Chen Qi <[email protected]> >> + >> +--- >> + xlators/mgmt/glusterd/src/glusterd-volgen.c | 21 +++++++++++++++++++++ >> + 1 file changed, 21 insertions(+) >> + >> +diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c >> b/xlators/mgmt/glusterd/src/glusterd-volgen.c >> +index 0a0668e..308c41f 100644 >> +--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c >> ++++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c >> +@@ -5721,6 +5721,7 @@ generate_client_volfiles (glusterd_volinfo_t >> *volinfo, >> + int i = 0; >> + int ret = -1; >> + char filepath[PATH_MAX] = {0,}; >> ++ char *volname = NULL; >> + char *types[] = {NULL, NULL, NULL}; >> + dict_t *dict = NULL; >> + xlator_t *this = NULL; >> +@@ -5728,6 +5729,26 @@ generate_client_volfiles (glusterd_volinfo_t >> *volinfo, >> + >> + this = THIS; >> + >> ++ volname = volinfo->is_snap_volume ? >> ++ volinfo->parent_volname : volinfo->volname; >> ++ >> ++ >> ++ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) && >> ++ client_type != GF_CLIENT_TRUSTED) { >> ++ /* >> ++ * shared storage volume cannot be mounted from non >> trusted >> ++ * nodes. So we are not creating volfiles for >> non-trusted >> ++ * clients for shared volumes as well as snapshot of >> shared >> ++ * volumes. >> ++ */ >> ++ >> ++ ret = 0; >> ++ gf_msg_debug ("glusterd", 0, "Skipping the non-trusted >> volfile" >> ++ "creation for shared storage volume. >> Volume %s", >> ++ volname); >> ++ goto out; >> ++ } >> ++ >> + enumerate_transport_reqs (volinfo->transport_type, types); >> + dict = dict_new (); >> + if (!dict) >> +-- >> +2.7.4 >> + >> diff --git >> a/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch >> b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch >> new file mode 100644 >> index 0000000..8947f27 >> --- /dev/null >> +++ >> b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch >> @@ -0,0 +1,280 @@ >> +From a74ab3ab169add1e86aae0a99855211b948be021 Mon Sep 17 00:00:00 2001 >> +From: Mohammed Rafi KC <[email protected]> >> +Date: Mon, 2 Apr 2018 12:20:47 +0530 >> +Subject: [PATCH 2/3] server/auth: add option for strict authentication >> + >> +When this option is enabled, we will check for a matching >> +username and password, if not found then the connection will >> +be rejected. This also does a checksum validation of volfile >> + >> +The option is invalid when SSL/TLS is in use, at which point >> +the SSL/TLS certificate user name is used to validate and >> +hence authorize the right user. This expects TLS allow rules >> +to be setup correctly rather than the default *. >> + >> +This option is not settable, as a result this cannot be enabled >> +for volumes using the CLI. This is used with the shared storage >> +volume, to restrict access to the same in non-SSL/TLS environments >> +to the gluster peers only. >> + >> +Tested: >> + ./tests/bugs/protocol/bug-1321578.t >> + ./tests/features/ssl-authz.t >> + - Ran tests on volumes with and without strict auth >> + checking (as brick vol file needed to be edited to test, >> + or rather to enable the option) >> + - Ran tests on volumes to ensure existing mounts are >> + disconnected when we enable strict checking >> + >> +Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59 >> +fixes: bz#1568844 >> +Signed-off-by: Mohammed Rafi KC <[email protected]> >> +Signed-off-by: ShyamsundarR <[email protected]> >> + >> +Upstream-Status: Backport >> +Fix CVE-2018-1088 >> + >> +Signed-off-by: Chen Qi <[email protected]> >> + >> +--- >> + xlators/mgmt/glusterd/src/glusterd-volgen.c | 16 +++++++- >> + xlators/protocol/auth/login/src/login.c | 51 >> ++++++++++++++++++++++---- >> + xlators/protocol/server/src/authenticate.h | 4 +- >> + xlators/protocol/server/src/server-handshake.c | 2 +- >> + xlators/protocol/server/src/server.c | 18 +++++++++ >> + xlators/protocol/server/src/server.h | 2 + >> + 6 files changed, 81 insertions(+), 12 deletions(-) >> + >> +diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c >> b/xlators/mgmt/glusterd/src/glusterd-volgen.c >> +index 308c41f..8dd4907 100644 >> +--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c >> ++++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c >> +@@ -2250,6 +2250,7 @@ brick_graph_add_server (volgen_graph_t *graph, >> glusterd_volinfo_t *volinfo, >> + char *password = NULL; >> + char key[1024] = {0}; >> + char *ssl_user = NULL; >> ++ char *volname = NULL; >> + char *address_family_data = NULL; >> + >> + if (!graph || !volinfo || !set_dict || !brickinfo) >> +@@ -2325,6 +2326,19 @@ brick_graph_add_server (volgen_graph_t *graph, >> glusterd_volinfo_t *volinfo, >> + if (ret) >> + return -1; >> + >> ++ volname = volinfo->is_snap_volume ? >> ++ volinfo->parent_volname : volinfo->volname; >> ++ >> ++ >> ++ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) { >> ++ memset (key, 0, sizeof (key)); >> ++ snprintf (key, sizeof (key), "strict-auth-accept"); >> ++ >> ++ ret = xlator_set_option (xl, key, "true"); >> ++ if (ret) >> ++ return -1; >> ++ } >> ++ >> + if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == >> 0) { >> + memset (key, 0, sizeof (key)); >> + snprintf (key, sizeof (key), "auth.login.%s.ssl-allow", >> +@@ -5734,7 +5748,7 @@ generate_client_volfiles (glusterd_volinfo_t >> *volinfo, >> + >> + >> + if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) && >> +- client_type != GF_CLIENT_TRUSTED) { >> ++ client_type != GF_CLIENT_TRUSTED) { >> + /* >> + * shared storage volume cannot be mounted from non >> trusted >> + * nodes. So we are not creating volfiles for >> non-trusted >> +diff --git a/xlators/protocol/auth/login/src/login.c >> b/xlators/protocol/auth/login/src/login.c >> +index e799dd2..da10d0b 100644 >> +--- a/xlators/protocol/auth/login/src/login.c >> ++++ b/xlators/protocol/auth/login/src/login.c >> +@@ -11,6 +11,16 @@ >> + #include <fnmatch.h> >> + #include "authenticate.h" >> + >> ++/* Note on strict_auth >> ++ * - Strict auth kicks in when authentication is using the username, >> password >> ++ * in the volfile to login >> ++ * - If enabled, auth is rejected if the username and password is not >> matched >> ++ * or is not present >> ++ * - When using SSL names, this is automatically strict, and allows only >> those >> ++ * names that are present in the allow list, IOW strict auth checking >> has no >> ++ * implication when using SSL names >> ++*/ >> ++ >> + auth_result_t gf_auth (dict_t *input_params, dict_t *config_params) >> + { >> + auth_result_t result = AUTH_DONT_CARE; >> +@@ -27,6 +37,7 @@ auth_result_t gf_auth (dict_t *input_params, dict_t >> *config_params) >> + char *tmp = NULL; >> + char *username_cpy = NULL; >> + gf_boolean_t using_ssl = _gf_false; >> ++ gf_boolean_t strict_auth = _gf_false; >> + >> + username_data = dict_get (input_params, "ssl-name"); >> + if (username_data) { >> +@@ -35,16 +46,39 @@ auth_result_t gf_auth (dict_t *input_params, dict_t >> *config_params) >> + using_ssl = _gf_true; >> + } >> + else { >> ++ ret = dict_get_str_boolean (config_params, >> "strict-auth-accept", >> ++ _gf_false); >> ++ if (ret == -1) >> ++ strict_auth = _gf_false; >> ++ else >> ++ strict_auth = ret; >> ++ >> + username_data = dict_get (input_params, "username"); >> + if (!username_data) { >> +- gf_log ("auth/login", GF_LOG_DEBUG, >> +- "username not found, returning >> DONT-CARE"); >> ++ if (strict_auth) { >> ++ gf_log ("auth/login", GF_LOG_DEBUG, >> ++ "username not found, strict >> auth" >> ++ " configured returning REJECT"); >> ++ result = AUTH_REJECT; >> ++ } else { >> ++ gf_log ("auth/login", GF_LOG_DEBUG, >> ++ "username not found, returning" >> ++ " DONT-CARE"); >> ++ } >> + goto out; >> + } >> + password_data = dict_get (input_params, "password"); >> + if (!password_data) { >> +- gf_log ("auth/login", GF_LOG_WARNING, >> +- "password not found, returning >> DONT-CARE"); >> ++ if (strict_auth) { >> ++ gf_log ("auth/login", GF_LOG_DEBUG, >> ++ "password not found, strict >> auth" >> ++ " configured returning REJECT"); >> ++ result = AUTH_REJECT; >> ++ } else { >> ++ gf_log ("auth/login", GF_LOG_WARNING, >> ++ "password not found, returning" >> ++ " DONT-CARE"); >> ++ } >> + goto out; >> + } >> + password = data_to_str (password_data); >> +@@ -62,9 +96,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t >> *config_params) >> + ret = gf_asprintf (&searchstr, "auth.login.%s.%s", brick_name, >> + using_ssl ? "ssl-allow" : "allow"); >> + if (-1 == ret) { >> +- gf_log ("auth/login", GF_LOG_WARNING, >> ++ gf_log ("auth/login", GF_LOG_ERROR, >> + "asprintf failed while setting search string, " >> +- "returning DONT-CARE"); >> ++ "returning REJECT"); >> ++ result = AUTH_REJECT; >> + goto out; >> + } >> + >> +@@ -92,8 +127,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t >> *config_params) >> + * ssl-allow=* case as well) authorization is >> effectively >> + * disabled, though authentication and encryption are >> still >> + * active. >> ++ * >> ++ * Read NOTE on strict_auth above. >> + */ >> +- if (using_ssl) { >> ++ if (using_ssl || strict_auth) { >> + result = AUTH_REJECT; >> + } >> + username_cpy = gf_strdup (allow_user->data); >> +diff --git a/xlators/protocol/server/src/authenticate.h >> b/xlators/protocol/server/src/authenticate.h >> +index 3f80231..5f92183 100644 >> +--- a/xlators/protocol/server/src/authenticate.h >> ++++ b/xlators/protocol/server/src/authenticate.h >> +@@ -37,10 +37,8 @@ typedef struct { >> + volume_opt_list_t *vol_opt; >> + } auth_handle_t; >> + >> +-auth_result_t gf_authenticate (dict_t *input_params, >> +- dict_t *config_params, >> +- dict_t *auth_modules); >> + int32_t gf_auth_init (xlator_t *xl, dict_t *auth_modules); >> + void gf_auth_fini (dict_t *auth_modules); >> ++auth_result_t gf_authenticate (dict_t *, dict_t *, dict_t *); >> + >> + #endif /* _AUTHENTICATE_H */ >> +diff --git a/xlators/protocol/server/src/server-handshake.c >> b/xlators/protocol/server/src/server-handshake.c >> +index f00804a..392a101 100644 >> +--- a/xlators/protocol/server/src/server-handshake.c >> ++++ b/xlators/protocol/server/src/server-handshake.c >> +@@ -631,7 +631,7 @@ server_setvolume (rpcsvc_request_t *req) >> + ret = dict_get_str (params, "volfile-key", >> + &volfile_key); >> + if (ret) >> +- gf_msg_debug (this->name, 0, "failed to >> set " >> ++ gf_msg_debug (this->name, 0, "failed to >> get " >> + "'volfile-key'"); >> + >> + ret = _validate_volfile_checksum (this, >> volfile_key, >> +diff --git a/xlators/protocol/server/src/server.c >> b/xlators/protocol/server/src/server.c >> +index 202fe71..61c6194 100644 >> +--- a/xlators/protocol/server/src/server.c >> ++++ b/xlators/protocol/server/src/server.c >> +@@ -883,6 +883,10 @@ do_rpc: >> + goto out; >> + } >> + >> ++ GF_OPTION_RECONF ("strict-auth-accept", >> conf->strict_auth_enabled, >> ++ options, bool, out); >> ++ >> ++ >> + GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options, >> + bool, out); >> + >> +@@ -1113,6 +1117,14 @@ init (xlator_t *this) >> + "Failed to initialize group cache."); >> + goto out; >> + } >> ++ >> ++ ret = dict_get_str_boolean (this->options, "strict-auth-accept", >> ++ _gf_false); >> ++ if (ret == -1) >> ++ conf->strict_auth_enabled = _gf_false; >> ++ else >> ++ conf->strict_auth_enabled = ret; >> ++ >> + ret = dict_get_str_boolean (this->options, "dynamic-auth", >> + _gf_true); >> + if (ret == -1) >> +@@ -1667,5 +1679,11 @@ struct volume_options options[] = { >> + "transport connection immediately in response >> to " >> + "*.allow | *.reject volume set options." >> + }, >> ++ { .key = {"strict-auth-accept"}, >> ++ .type = GF_OPTION_TYPE_BOOL, >> ++ .default_value = "off", >> ++ .description = "strict-auth-accept reject connection with >> out" >> ++ "a valid username and password." >> ++ }, >> + { .key = {NULL} }, >> + }; >> +diff --git a/xlators/protocol/server/src/server.h >> b/xlators/protocol/server/src/server.h >> +index 0b37eb1..7eea291 100644 >> +--- a/xlators/protocol/server/src/server.h >> ++++ b/xlators/protocol/server/src/server.h >> +@@ -24,6 +24,7 @@ >> + #include "client_t.h" >> + #include "gidcache.h" >> + #include "defaults.h" >> ++#include "authenticate.h" >> + >> + #define DEFAULT_BLOCK_SIZE 4194304 /* 4MB */ >> + #define DEFAULT_VOLUME_FILE_PATH CONFDIR "/glusterfs.vol" >> +@@ -105,6 +106,7 @@ struct server_conf { >> + * false, when child is down >> */ >> + >> + gf_lock_t itable_lock; >> ++ gf_boolean_t strict_auth_enabled; >> + }; >> + typedef struct server_conf server_conf_t; >> + >> +-- >> +2.7.4 >> + >> diff --git a/recipes-extended/glusterfs/glusterfs.inc >> b/recipes-extended/glusterfs/glusterfs.inc >> index 02c8a6a..8bf5653 100644 >> --- a/recipes-extended/glusterfs/glusterfs.inc >> +++ b/recipes-extended/glusterfs/glusterfs.inc >> @@ -20,6 +20,8 @@ SRC_URI += "file://glusterd.init \ >> file://libglusterfs-Don-t-link-against-libfl.patch \ >> file://glusterd-change-port-range.patch \ >> >> file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \ >> + >> file://0001-shared-storage-Prevent-mounting-shared-storage-from-.patch \ >> + >> file://0002-server-auth-add-option-for-strict-authentication.patch \ >> " >> LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & >> LGPLv2.1+ & Apache-2.0" > > > > -- > _______________________________________________ > meta-virtualization mailing list > [email protected] > https://lists.yoctoproject.org/listinfo/meta-virtualization -- "Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end" -- _______________________________________________ meta-virtualization mailing list [email protected] https://lists.yoctoproject.org/listinfo/meta-virtualization
