Hello community, here is the log from the commit of package aws-efs-utils for openSUSE:Factory checked in at 2019-04-11 08:47:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/aws-efs-utils (Old) and /work/SRC/openSUSE:Factory/.aws-efs-utils.new.27019 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "aws-efs-utils" Thu Apr 11 08:47:58 2019 rev:3 rq:692718 version:1.7 Changes: -------- --- /work/SRC/openSUSE:Factory/aws-efs-utils/aws-efs-utils.changes 2019-04-04 12:08:06.897400144 +0200 +++ /work/SRC/openSUSE:Factory/.aws-efs-utils.new.27019/aws-efs-utils.changes 2019-04-11 08:48:00.800542966 +0200 @@ -1,0 +2,18 @@ +Tue Apr 9 22:29:17 UTC 2019 - John Paul Adrian Glaubitz <adrian.glaub...@suse.com> + +- Update to version 1.7 + + subprocess usage: explicitly pass `close_fds = True` + + state_file_dir: choose safe default mode, make mode configurable + + choose_tls_port(): reuse socket and explicitly close it in all cases + + watchdog: be robust against unrelated localhost based nfs mounts +- Drop hardening patches merged upstream + + 0001-subprocess-usage-explicitly-pass-close_fds-True.patch + + 0002-state_file_dir-choose-safe-default-mode-make-mode-co.patch + + 0003-pytest-adjust-tests-to-new-state_file_dir_mode-confi.patch + + 0004-choose_tls_port-reuse-socket-and-explicitly-close-it.patch + + 0005-watchdog-be-robust-against-unrelated-localhost-based.patch +- from version 1.6 + + fix for additional unexpected arguments + + add test for additional unexpected arguments + +------------------------------------------------------------------- Old: ---- 0001-subprocess-usage-explicitly-pass-close_fds-True.patch 0002-state_file_dir-choose-safe-default-mode-make-mode-co.patch 0003-pytest-adjust-tests-to-new-state_file_dir_mode-confi.patch 0004-choose_tls_port-reuse-socket-and-explicitly-close-it.patch 0005-watchdog-be-robust-against-unrelated-localhost-based.patch v1.5.tar.gz New: ---- v1.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ aws-efs-utils.spec ++++++ --- /var/tmp/diff_new_pack.3arsdj/_old 2019-04-11 08:48:01.600543791 +0200 +++ /var/tmp/diff_new_pack.3arsdj/_new 2019-04-11 08:48:01.600543791 +0200 @@ -17,7 +17,7 @@ Name: aws-efs-utils -Version: 1.5 +Version: 1.7 Release: 0 Summary: Utilities for using the EFS file systems License: MIT @@ -25,12 +25,6 @@ Url: https://github.com/aws/efs-utils Source0: https://github.com/aws/efs-utils/archive/v%{version}.tar.gz Patch: efs-switchparser.patch -# Hardening patches (see: https://github.com/aws/efs-utils/pull/26 and bsc#1125133) -Patch1: 0001-subprocess-usage-explicitly-pass-close_fds-True.patch -Patch2: 0002-state_file_dir-choose-safe-default-mode-make-mode-co.patch -Patch3: 0003-pytest-adjust-tests-to-new-state_file_dir_mode-confi.patch -Patch4: 0004-choose_tls_port-reuse-socket-and-explicitly-close-it.patch -Patch5: 0005-watchdog-be-robust-against-unrelated-localhost-based.patch BuildRequires: systemd BuildRequires: systemd-rpm-macros Requires: nfs-utils @@ -44,12 +38,7 @@ %prep %setup -n efs-utils-%{version} find . -name "*.py" -exec sed -i 's/env python/python3/' {} + -%patch -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 +%patch -p1 %build # No build required ++++++ efs-switchparser.patch ++++++ --- /var/tmp/diff_new_pack.3arsdj/_old 2019-04-11 08:48:01.636543828 +0200 +++ /var/tmp/diff_new_pack.3arsdj/_new 2019-04-11 08:48:01.636543828 +0200 @@ -1,6 +1,7 @@ ---- src/mount_efs/__init__.py.orig -+++ src/mount_efs/__init__.py -@@ -44,9 +44,9 @@ from contextlib import contextmanager +diff -Nru efs-utils-1.7.orig/src/mount_efs/__init__.py efs-utils-1.7/src/mount_efs/__init__.py +--- efs-utils-1.7.orig/src/mount_efs/__init__.py 2019-04-09 20:27:34.000000000 +0200 ++++ efs-utils-1.7/src/mount_efs/__init__.py 2019-04-09 23:59:43.477327640 +0200 +@@ -44,9 +44,9 @@ from logging.handlers import RotatingFileHandler try: @@ -12,7 +13,7 @@ try: from urllib2 import urlopen, URLError -@@ -517,7 +517,7 @@ def assert_root(): +@@ -537,7 +537,7 @@ def read_config(config_file=CONFIG_FILE): @@ -21,9 +22,10 @@ p.read(config_file) return p ---- src/watchdog/__init__.py.orig -+++ src/watchdog/__init__.py -@@ -21,9 +21,9 @@ from logging.handlers import RotatingFil +diff -Nru efs-utils-1.7.orig/src/watchdog/__init__.py efs-utils-1.7/src/watchdog/__init__.py +--- efs-utils-1.7.orig/src/watchdog/__init__.py 2019-04-09 20:27:34.000000000 +0200 ++++ efs-utils-1.7/src/watchdog/__init__.py 2019-04-09 23:59:43.477327640 +0200 +@@ -21,9 +21,9 @@ from signal import SIGTERM try: @@ -33,9 +35,9 @@ - from configparser import ConfigParser + import configparser as cp - VERSION = '1.5' + VERSION = '1.7' -@@ -275,7 +275,7 @@ def assert_root(): +@@ -280,7 +280,7 @@ def read_config(config_file=CONFIG_FILE): @@ -44,8 +46,9 @@ p.read(config_file) return p ---- test/mount_efs_test/test_choose_tls_port.py.orig -+++ test/mount_efs_test/test_choose_tls_port.py +diff -Nru efs-utils-1.7.orig/test/mount_efs_test/test_choose_tls_port.py efs-utils-1.7/test/mount_efs_test/test_choose_tls_port.py +--- efs-utils-1.7.orig/test/mount_efs_test/test_choose_tls_port.py 2019-04-09 20:27:34.000000000 +0200 ++++ efs-utils-1.7/test/mount_efs_test/test_choose_tls_port.py 2019-04-09 23:59:43.477327640 +0200 @@ -7,9 +7,13 @@ # @@ -61,7 +64,7 @@ import pytest from mock import MagicMock -@@ -19,7 +23,7 @@ DEFAULT_TLS_PORT_RANGE_HIGH = 20449 +@@ -19,7 +23,7 @@ def _get_config(): @@ -70,8 +73,9 @@ config.add_section(mount_efs.CONFIG_SECTION) config.set(mount_efs.CONFIG_SECTION, 'port_range_lower_bound', str(DEFAULT_TLS_PORT_RANGE_LOW)) config.set(mount_efs.CONFIG_SECTION, 'port_range_upper_bound', str(DEFAULT_TLS_PORT_RANGE_HIGH)) ---- test/mount_efs_test/test_write_stunnel_config_file.py.orig -+++ test/mount_efs_test/test_write_stunnel_config_file.py +diff -Nru efs-utils-1.7.orig/test/mount_efs_test/test_write_stunnel_config_file.py efs-utils-1.7/test/mount_efs_test/test_write_stunnel_config_file.py +--- efs-utils-1.7.orig/test/mount_efs_test/test_write_stunnel_config_file.py 2019-04-09 20:27:34.000000000 +0200 ++++ efs-utils-1.7/test/mount_efs_test/test_write_stunnel_config_file.py 2019-04-09 23:59:43.477327640 +0200 @@ -7,9 +7,13 @@ # @@ -87,7 +91,7 @@ import pytest FS_ID = 'fs-deadbeef' -@@ -32,7 +36,7 @@ def _get_config(mocker, stunnel_debug_en +@@ -32,7 +36,7 @@ if stunnel_check_cert_validity is None: stunnel_check_cert_validity = stunnel_check_cert_validity_supported ++++++ v1.5.tar.gz -> v1.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/build-deb.sh new/efs-utils-1.7/build-deb.sh --- old/efs-utils-1.5/build-deb.sh 2018-10-11 20:53:51.000000000 +0200 +++ new/efs-utils-1.7/build-deb.sh 2019-04-09 20:27:34.000000000 +0200 @@ -11,7 +11,7 @@ BASE_DIR=$(pwd) BUILD_ROOT=${BASE_DIR}/build/debbuild -VERSION=1.5 +VERSION=1.7 echo 'Cleaning deb build workspace' rm -rf ${BUILD_ROOT} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/dist/amazon-efs-utils.control new/efs-utils-1.7/dist/amazon-efs-utils.control --- old/efs-utils-1.5/dist/amazon-efs-utils.control 2018-10-11 20:53:51.000000000 +0200 +++ new/efs-utils-1.7/dist/amazon-efs-utils.control 2019-04-09 20:27:34.000000000 +0200 @@ -1,6 +1,6 @@ Package: amazon-efs-utils Architecture: all -Version: 1.5 +Version: 1.7 Section: utils Depends: python|python2, nfs-common, stunnel4 (>= 4.56) Priority: optional diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/dist/amazon-efs-utils.spec new/efs-utils-1.7/dist/amazon-efs-utils.spec --- old/efs-utils-1.5/dist/amazon-efs-utils.spec 2018-10-11 20:53:51.000000000 +0200 +++ new/efs-utils-1.7/dist/amazon-efs-utils.spec 2019-04-09 20:27:34.000000000 +0200 @@ -20,7 +20,7 @@ %endif Name : amazon-efs-utils -Version : 1.5 +Version : 1.7 Release : 1%{?dist} Summary : This package provides utilities for simplifying the use of EFS file systems diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/dist/efs-utils.conf new/efs-utils-1.7/dist/efs-utils.conf --- old/efs-utils-1.5/dist/efs-utils.conf 2018-10-11 20:53:51.000000000 +0200 +++ new/efs-utils-1.7/dist/efs-utils.conf 2019-04-09 20:27:34.000000000 +0200 @@ -10,6 +10,8 @@ logging_level = INFO logging_max_bytes = 1048576 logging_file_count = 10 +# mode for /var/run/efs in octal +state_file_dir_mode = 750 [mount] dns_name_format = {fs_id}.efs.{region}.amazonaws.com diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/src/mount_efs/__init__.py new/efs-utils-1.7/src/mount_efs/__init__.py --- old/efs-utils-1.5/src/mount_efs/__init__.py 2018-10-11 20:53:51.000000000 +0200 +++ new/efs-utils-1.7/src/mount_efs/__init__.py 2019-04-09 20:27:34.000000000 +0200 @@ -54,7 +54,7 @@ from urllib.error import URLError from urllib.request import urlopen -VERSION = '1.5' +VERSION = '1.7' CONFIG_FILE = '/etc/amazon/efs/efs-utils.conf' CONFIG_SECTION = 'mount' @@ -180,8 +180,9 @@ ports_to_try = tls_ports[mid:] + tls_ports[:mid] assert len(tls_ports) == len(ports_to_try) + sock = socket.socket() + for tls_port in ports_to_try: - sock = socket.socket() try: sock.bind(('localhost', tls_port)) sock.close() @@ -189,6 +190,8 @@ except socket.error: continue + sock.close() + fatal_error('Failed to locate an available port in the range [%d, %d], ' 'try specifying a different port range in %s' % (lower_bound, upper_bound, CONFIG_FILE)) @@ -235,7 +238,7 @@ def get_version_specific_stunnel_options(config): - proc = subprocess.Popen(['stunnel', '-help'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + proc = subprocess.Popen(['stunnel', '-help'], stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) proc.wait() _, err = proc.communicate() @@ -355,7 +358,7 @@ return with open(os.devnull, 'w') as devnull: - rc = subprocess.call(['systemctl', 'status', 'network.target'], stdout=devnull, stderr=devnull) + rc = subprocess.call(['systemctl', 'status', 'network.target'], stdout=devnull, stderr=devnull, close_fds=True) if rc != 0: fatal_error('Failed to mount %s because the network was not yet available, add "_netdev" to your mount options' % fs_id, @@ -364,19 +367,20 @@ def start_watchdog(init_system): if init_system == 'init': - proc = subprocess.Popen(['/sbin/status', WATCHDOG_SERVICE], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + proc = subprocess.Popen( + ['/sbin/status', WATCHDOG_SERVICE], stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) status, _ = proc.communicate() if 'stop' in status: with open(os.devnull, 'w') as devnull: - subprocess.Popen(['/sbin/start', WATCHDOG_SERVICE], stdout=devnull, stderr=devnull) + subprocess.Popen(['/sbin/start', WATCHDOG_SERVICE], stdout=devnull, stderr=devnull, close_fds=True) elif 'start' in status: logging.debug('%s is already running', WATCHDOG_SERVICE) elif init_system == 'systemd': - rc = subprocess.call(['systemctl', 'is-active', '--quiet', WATCHDOG_SERVICE]) + rc = subprocess.call(['systemctl', 'is-active', '--quiet', WATCHDOG_SERVICE], close_fds=True) if rc != 0: with open(os.devnull, 'w') as devnull: - subprocess.Popen(['systemctl', 'start', WATCHDOG_SERVICE], stdout=devnull, stderr=devnull) + subprocess.Popen(['systemctl', 'start', WATCHDOG_SERVICE], stdout=devnull, stderr=devnull, close_fds=True) else: logging.debug('%s is already running', WATCHDOG_SERVICE) @@ -386,12 +390,26 @@ logging.warning(error_message) +def create_state_file_dir(config, state_file_dir): + mode = 0o750 + try: + mode_str = config.get(CONFIG_SECTION, 'state_file_dir_mode') + try: + mode = int(mode_str, 8) + except ValueError: + logging.warn('Bad state_file_dir_mode "%s" in config file "%s"', mode_str, CONFIG_FILE) + except ConfigParser.NoOptionError: + pass + + os.makedirs(state_file_dir, mode) + + @contextmanager def bootstrap_tls(config, init_system, dns_name, fs_id, mountpoint, options, state_file_dir=STATE_FILE_DIR): start_watchdog(init_system) if not os.path.exists(state_file_dir): - os.makedirs(state_file_dir) + create_state_file_dir(config, state_file_dir) tls_port = choose_tls_port(config) options['tlsport'] = tls_port @@ -404,7 +422,8 @@ # launch the tunnel in a process group so if it has any child processes, they can be killed easily by the mount watchdog logging.info('Starting TLS tunnel: "%s"', ' '.join(tunnel_args)) - tunnel_proc = subprocess.Popen(tunnel_args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, preexec_fn=os.setsid) + tunnel_proc = subprocess.Popen( + tunnel_args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, preexec_fn=os.setsid, close_fds=True) logging.info('Started TLS tunnel, pid: %d', tunnel_proc.pid) temp_tls_state_file = write_tls_tunnel_state_file(fs_id, mountpoint, tls_port, tunnel_proc.pid, tunnel_args, @@ -458,7 +477,7 @@ logging.info('Executing: "%s"', ' '.join(command)) - proc = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + proc = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) out, err = proc.communicate() if proc.returncode == 0: @@ -499,8 +518,9 @@ fsname = args[1] if len(args) > 2: mountpoint = args[2] - if len(args) > 4 and args[3] == '-o': - options = parse_options(args[4]) + if len(args) > 4 and '-o' in args[:-1]: + options_index = args.index('-o') + 1 + options = parse_options(args[options_index]) if not fsname or not mountpoint: usage(out=sys.stderr) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/src/watchdog/__init__.py new/efs-utils-1.7/src/watchdog/__init__.py --- old/efs-utils-1.5/src/watchdog/__init__.py 2018-10-11 20:53:51.000000000 +0200 +++ new/efs-utils-1.7/src/watchdog/__init__.py 2019-04-09 20:27:34.000000000 +0200 @@ -25,7 +25,7 @@ except ImportError: from configparser import ConfigParser -VERSION = '1.5' +VERSION = '1.7' CONFIG_FILE = '/etc/amazon/efs/efs-utils.conf' CONFIG_SECTION = 'mount-watchdog' @@ -95,6 +95,9 @@ mountpoint = mountpoint[1:] opts = parse_options(mount.options) + if 'port' not in opts: + # some other localhost nfs mount not running over stunnel + return None return mountpoint + '.' + opts['port'] @@ -113,7 +116,9 @@ mount_dict = {} for m in mounts: - mount_dict[get_file_safe_mountpoint(m)] = m + safe_mnt = get_file_safe_mountpoint(m) + if safe_mnt: + mount_dict[safe_mnt] = m return mount_dict @@ -150,7 +155,7 @@ def start_tls_tunnel(child_procs, state_file, command): # launch the tunnel in a process group so if it has any child processes, they can be killed easily logging.info('Starting TLS tunnel: "%s"', ' '.join(command)) - tunnel = subprocess.Popen(command, preexec_fn=os.setsid) + tunnel = subprocess.Popen(command, preexec_fn=os.setsid, close_fds=True) if not is_pid_running(tunnel.pid): fatal_error('Failed to initialize TLS tunnel for %s' % state_file, 'Failed to start TLS tunnel.') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/test/mount_efs_test/test_bootstrap_tls.py new/efs-utils-1.7/test/mount_efs_test/test_bootstrap_tls.py --- old/efs-utils-1.5/test/mount_efs_test/test_bootstrap_tls.py 2018-10-11 20:53:51.000000000 +0200 +++ new/efs-utils-1.7/test/mount_efs_test/test_bootstrap_tls.py 2019-04-09 20:27:34.000000000 +0200 @@ -66,6 +66,14 @@ mocker.patch('os.kill') state_file_dir = str(tmpdir.join(tempfile.mktemp())) + def config_get_side_effect(section, field): + if section == mount_efs.CONFIG_SECTION and field == 'state_file_dir_mode': + return '0755' + else: + raise ValueError('Unexpected arguments') + + MOCK_CONFIG.get.side_effect = config_get_side_effect + assert not os.path.exists(state_file_dir) with mount_efs.bootstrap_tls(MOCK_CONFIG, INIT_SYSTEM, DNS_NAME, FS_ID, MOUNT_POINT, {}, state_file_dir): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/test/mount_efs_test/test_parse_arguments.py new/efs-utils-1.7/test/mount_efs_test/test_parse_arguments.py --- old/efs-utils-1.5/test/mount_efs_test/test_parse_arguments.py 2018-10-11 20:53:51.000000000 +0200 +++ new/efs-utils-1.7/test/mount_efs_test/test_parse_arguments.py 2019-04-09 20:27:34.000000000 +0200 @@ -77,6 +77,16 @@ assert {} == options +def test_parse_arguments_verbose(): + fsid, path, mountpoint, options = mount_efs.parse_arguments(None, + ['mount', 'fs-deadbeef:/home', '/dir', '-v', '-o', 'foo,bar=baz,quux']) + + assert 'fs-deadbeef' == fsid + assert '/home' == path + assert '/dir' == mountpoint + assert {'foo': None, 'bar': 'baz', 'quux': None} == options + + def test_parse_arguments(): fsid, path, mountpoint, options = mount_efs.parse_arguments(None, ['mount', 'fs-deadbeef:/home', '/dir', '-o', 'foo,bar=baz,quux'])