Hello community, here is the log from the commit of package nfs-utils for openSUSE:Factory checked in at 2019-09-25 01:35:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nfs-utils (Old) and /work/SRC/openSUSE:Factory/.nfs-utils.new.7948 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nfs-utils" Wed Sep 25 01:35:24 2019 rev:149 rq:732555 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/nfs-utils/nfs-utils.changes 2019-09-09 12:32:25.833501328 +0200 +++ /work/SRC/openSUSE:Factory/.nfs-utils.new.7948/nfs-utils.changes 2019-09-25 01:35:27.137668009 +0200 @@ -1,0 +2,31 @@ +Mon Sep 23 01:52:29 UTC 2019 - Neil Brown <[email protected]> + +- Delete 0006-nfs.conf-silence-include-error.patch + replaced with better version +- 0006-conffile-allow-optional-include-files.patch + Avoid error if /etc/nfs.conf.local doesn't exist + (bsc#1151044 bsc#1150807) +- 0008-mountd-Initialize-logging-early.patch + Don't close the loging socket - it causes problems. + (bsc#1151044 bsc#1150807) + +------------------------------------------------------------------- +Mon Sep 16 23:43:37 UTC 2019 - Neil Brown <[email protected]> + +- Don't make /var/lib/nfs owned by statd. + Only sm and sm.bak need to be accessible by + statd or sm-notify after they drop privs. + Providing they get created, the parent + directory can be root-owned. +- 0007-statd-user-from-sm + Change rpc.statd and sm-notify to take uid from the sm + directory. + (bsc#1150733 CVE-2019-3689) + +------------------------------------------------------------------- +Mon Sep 16 05:56:12 UTC 2019 - Neil Brown <[email protected]> + +- 0006-nfs.conf-silence-include-error.patch + Avoid an unhelpful warning (bsc#1150807) + +------------------------------------------------------------------- New: ---- 0006-conffile-allow-optional-include-files.patch 0007-statd-user-from-sm 0008-mountd-Initialize-logging-early.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nfs-utils.spec ++++++ --- /var/tmp/diff_new_pack.506neM/_old 2019-09-25 01:35:28.873667797 +0200 +++ /var/tmp/diff_new_pack.506neM/_new 2019-09-25 01:35:28.893667794 +0200 @@ -50,6 +50,9 @@ Patch3: 0003-systemd-run-statd-notify-even-when-nfs-client-isn-t-.patch Patch4: 0004-nfsidmap-honour-with-pluginpath-for-instalation.patch Patch5: 0005-nfs.conf-fail-to-disable-major-NFS-version-4-using-v.patch +Patch6: 0006-conffile-allow-optional-include-files.patch +Patch7: 0007-statd-user-from-sm +Patch8: 0008-mountd-Initialize-logging-early.patch BuildRequires: e2fsprogs-devel BuildRequires: fedfs-utils-devel @@ -152,6 +155,9 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 cp %{SOURCE6} . @@ -218,9 +224,9 @@ %service_add_pre auth-rpcgss-module.service nfs-idmapd.service nfs-blkmap.service rpc-statd-notify.service rpc-gssd.service rpc-statd.service rpc-svcgssd.service %post -n nfs-client -chown statd:nogroup %{_localstatedir}/lib/nfs > /dev/null 2>&1 || : -for i in state sm sm.bak; do - chown -R statd %{_localstatedir}/lib/nfs/$i > /dev/null 2>&1 || : +chown root:root %{_localstatedir}/lib/nfs > /dev/null 2>&1 || : +for i in sm sm.bak; do + chown -R statd:nogroup %{_localstatedir}/lib/nfs/$i > /dev/null 2>&1 || : done ### migrate from /var/lock/subsys [ -d /run/nfs ] || mkdir /run/nfs @@ -342,12 +348,12 @@ %{_mandir}/man8/blkmapd.8%{ext_man} %{_mandir}/man8/rpc.svcgssd.8%{ext_man} %{_fillupdir}/sysconfig.nfs -%attr(0711,statd,nogroup) %dir %{_localstatedir}/lib/nfs +%dir %{_localstatedir}/lib/nfs %dir %{_localstatedir}/lib/nfs/rpc_pipefs %dir %{_localstatedir}/lib/nfs/v4recovery %attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm %attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm.bak -%attr(0700,statd,nogroup) %ghost %{_localstatedir}/lib/nfs/state +%ghost %{_localstatedir}/lib/nfs/state %files -n nfs-kernel-server %defattr(-,root,root) ++++++ 0006-conffile-allow-optional-include-files.patch ++++++ >From f608217f6136c0e9fedc7bc728e4ba13ed295c4c Mon Sep 17 00:00:00 2001 From: NeilBrown <[email protected]> Date: Mon, 23 Sep 2019 11:20:39 +1000 Subject: [PATCH] conffile: allow optional include files. If nfs.conf contains, for example include = /etc/nfs.conf.local and /etc/nfs.conf.local doesn't exist, then a warning is given. Sometimes it is useful to have an optional include file which is included if present, but for which an absence doesn't give a warning. Systemd has a convention that a hyphen at the start of an include file name marks it as optional, so add this convention to nfs-utils. So include = -/etc/nfs.conf.local will not give a warning if the file doesn't exist. Signed-off-by: NeilBrown <[email protected]> --- support/nfs/conffile.c | 13 ++++++++++--- systemd/nfs.conf.man | 3 +++ 2 files changed, 13 insertions(+), 3 deletions(-) --- a/support/nfs/conffile.c +++ b/support/nfs/conffile.c @@ -413,11 +413,18 @@ conf_parse_line(int trans, char *line, c if (strcasecmp(line, "include")==0) { /* load and parse subordinate config files */ + _Bool optional = false; + + if (val && *val == '-') { + optional = true; + val++; + } + relpath = relative_path(filename, val); if (relpath == NULL) { - xlog_warn("config error at %s:%d: " - "error loading included config", - filename, lineno); + if (!optional) + xlog_warn("config error at %s:%d: error loading included config", + filename, lineno); return; } --- a/systemd/nfs.conf.man +++ b/systemd/nfs.conf.man @@ -65,6 +65,9 @@ section headers, then new sections will included file appeared in place of the .B include line. +If the file name starts with a hyphen then that is stripped off +before the file is opened, and if file doesn't exist no warning is +given. Normally a non-existent include file generates a warning. .PP Lookup of section and value names is case-insensitive. ++++++ 0007-statd-user-from-sm ++++++ statd: take user-id from /var/lib/nfs/sm Having /var/lib/nfs writeable by statd is not ideal as there are files in there that statd doesn't need to access. Aftger dropping privs, statd and sm-notify only need to access files in the directories sm and sm.bak. So take the uid for these deamons from 'sm'. Signed-off-by: NeilBrown <[email protected]> --- support/nsm/file.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) --- a/support/nsm/file.c +++ b/support/nsm/file.c @@ -388,23 +388,17 @@ nsm_drop_privileges(const int pidfd) (void)umask(S_IRWXO); - /* - * XXX: If we can't stat dirname, or if dirname is owned by - * root, we should use "statduser" instead, which is set up - * by configure.ac. Nothing in nfs-utils seems to use - * "statduser," though. - */ - if (lstat(nsm_base_dirname, &st) == -1) { - xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname); - return false; - } - if (chdir(nsm_base_dirname) == -1) { xlog(L_ERROR, "Failed to change working directory to %s: %m", nsm_base_dirname); return false; } + if (lstat(NSM_MONITOR_DIR, &st) == -1) { + xlog(L_ERROR, "Failed to stat %s/%s: %m", nsm_base_dirname, NSM_MONITOR_DIR); + return false; + } + if (!prune_bounding_set()) return false; ++++++ 0008-mountd-Initialize-logging-early.patch ++++++ >From 30961f1bf9be6117aa825e7bfc8b327c93d3aacd Mon Sep 17 00:00:00 2001 From: NeilBrown <[email protected]> Date: Mon, 23 Sep 2019 11:10:31 +1000 Subject: [PATCH] mountd: Initialize logging early. Reading the config file can generate log messages, so we should initialize logging before reading the config file. If any log message are generated, syslog will leave a file descriptor open (a socket), so calling closeall(3) after this can cause problem. Before this we initialize login we don't know if Foreground (-F) has been selected, so closeall() cannot be conditional on that. closeall() isn't needed - daemon are almost always run from a management daemon like systemd, and they are given a clean environment. It is really best if they just take what they are given. So remove the closeall() call. Signed-off-by: NeilBrown <[email protected]> --- utils/mountd/mountd.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) --- a/utils/mountd/mountd.c +++ b/utils/mountd/mountd.c @@ -679,6 +679,9 @@ main(int argc, char **argv) else progname = argv[0]; + /* Initialize logging. */ + xlog_open(progname); + conf_init_file(NFS_CONFFILE); xlog_from_conffile("mountd"); manage_gids = conf_get_bool("mountd", "manage-gids", manage_gids); @@ -818,9 +821,7 @@ main(int argc, char **argv) } } } - /* Initialize logging. */ if (!foreground) xlog_stderr(0); - xlog_open(progname); sa.sa_handler = SIG_IGN; sa.sa_flags = 0; @@ -832,10 +833,6 @@ main(int argc, char **argv) /* WARNING: the following works on Linux and SysV, but not BSD! */ sigaction(SIGCHLD, &sa, NULL); - /* Daemons should close all extra filehandles ... *before* RPC init. */ - if (!foreground) - closeall(3); - cache_open(); unregister_services(); ++++++ nfs.conf ++++++ --- /var/tmp/diff_new_pack.506neM/_old 2019-09-25 01:35:29.201667757 +0200 +++ /var/tmp/diff_new_pack.506neM/_new 2019-09-25 01:35:29.201667757 +0200 @@ -9,7 +9,7 @@ [environment] include = /etc/sysconfig/nfs -include = /etc/nfs.conf.local +include = -/etc/nfs.conf.local [general] pipefs-directory=$RPC_PIPEFS_DIR #
