[Bug 1950321] Re: [MIR] glusterfs

[Christian Ehrhardt ]

Now all is in place, but due to all the delay this is now much later than 
intended.
We will prepare the changes to samba and qemu which will pull this in, but 
given the time I'd feel more comfortable to have a quick release-team FFE-ack.

PPA (just started building, lets hope it works as good as it did in the 
pre-eval long ago):
- qemu: 
https://launchpad.net/~paelzer/+archive/ubuntu/lp-1246924-enable-glusterfs

P.S. From the MIR process all info is here already not more needed for
an FFE look at this.

** Summary changed:

- [MIR] glusterfs
+ [MIR][FFE] glusterfs

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR][FFE] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Christian Ehrhardt ]

** Changed in: glusterfs (Ubuntu)
 Assignee: Steve Beattie (sbeattie) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Steve Beattie]

I reviewed glusterfs 10.1-1 as checked into jammy. This
shouldn't be considered a full audit but rather a quick gauge
of maintainability.

GlusterFS is a clustered network file-system.

- CVE History: 27 CVEs, though the most recent are from
  2018. Issue resolution looks okay. One or two of the later
  CVEs were incomplete fixes for earlier issues.
- Build-Depends on openssl, libtirpc, libxml2, rdma libs.
- Several pre/post inst/rm scripts, dedicated to managing the
  systemd services, adding/removing a dedicated gluster user,
  ensuring an initial config file is created, and dealing with
  compiled python files. Most are generated by debhelper tools
  and look okay.
- No init scripts.
- The glusterfs-server package includes to systemd units, to
  manage the primary GlusterFS daemon and the gluster events
  notifier service. The GlusterFS daemon does depend on rpcbind
  services being enabled/started.

  (The upstream source includes a couple more systemd unit
  files that are not included in any of the binary packages.)
- No dbus services.
- No setuid binaries; however, see Andreas' discussion on the
  fusermount-glusterfs binary. In general, the security team
  would STRONGLY prefer to not have another setuid binary,
  especially for what upstream considers a non-standard use
  case and for one that is a modified version of an existing
  binary that has had its own history of security problems.
- There are several binaries in PATH, mostly as one would
  expect (the service daemon itself, mount utilities, the
  events daemon, and some other specialized utilities.
- No sudo fragments.
- No polkit files.
- No udev rules.
- Tests:
  - it has one basic autopkgtest, a smoke test that creates
and writes to a mountpoint.
  - As Andreas noted, there is an unused semblance of
unittest infrastructure. There is a wholly unused tests/
subdirectory. It's great that upstream gates on tests
passing, but does nothing for us for testing updates/patches
we might apply. That's not great.
- No cron jobs.
- As noted, build logs contain some warnings, some of
  them somewhat concerning highlighting where string copy
  operations are performed with a bounds limiter based on the
  length of the source of the copy rather than the size of the
  target. Cursory looks indicate that they may not be an issue,
  and there has been some effort to fix these sorts of things
  in the upstream github.

  There's a couple of warnings about not checking the result
  of calls to setreuid() in contrib/fuse-lib/mount-common.c:59
  which just emphasizes again that it would be best to not
  make the fusermount-glusterfs setuid.

  Nothing concerning in the lintian warnings, though that the
  warning of a lack of symbols tracking in the libraries has
  been silenced is not a great look. (The upstream libraries
  export a defined set of symbols, but don't make use of symbol
  versioning, either.)

- Processes are spawned in a few locations, but look to be
  handled safely (outside of testcases).
- Lots of fiddly memory management happening, memcpys,
  strcpys, etc.
- File IO is okay.
- Logging is complex but okay.
- Minimal use of environment variables, mostly for
  geo-replication, and is okay.
- Privileged function use oustide of fuse is okay.
- RPC can use tls via libssl, looks okay.
- Use of temp files looks to be safe, though TMPDIR is not
  honored.
- As one would expect, significant Use of networking; in
  general looks okay.
- No use of WebKit.
- No use of PolicyKit.

- No significant cppcheck issues that were not likely false
  positives.
- Coverity reported around 500 issues, but spot checking a few,
  they appeared to be false positives or things like failing to
  deallocate memory in a command line tool. Upstream appears
  to be making fixes based on the public Coverity scanner,
  so that's good.
- shellcheck found some issues, including in
  xlators/mount/fuse/utils/mount.glusterfs.in which gets
  installed as /sbin/mount.glusterfs. Not a direct security
  concern and there is at least some effort to address
  shellcheck issues upstream.
- No significant bandit results.

Close to 500 TODO/FIXME type comments which is not a great sign.

I investigated the lintian override for the fortify hardening
check, and it does appear to be a false positive that is being
silenced, and thus okay.

In talking with Andreas, I understand the difficulty with trying
to get the upstream tests (in particular those driven by the
run-tests.sh script) working, but I think it still would be
something that would give us far more confidence when performing
updates, security or otherwise. It would also be good to clarify
explicitly why (debian) symbol versioning is not done, or get
it in place. Neither are blockers for acceptance.

Overall, there seems to be a marked improvement focusing on
quality versus the last time this package was submitted for
an MIR.

Security team ACK for promoting glusterfs to main.

-- 
You received this bug notifica

[Bug 1950321] Re: [MIR] glusterfs

[Christian Ehrhardt ]

Just to state it also here and not just in meetings and calls, this is
urgent and important for Jammy, so as much asap as you can manage to
complete this is appreciated :-)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

I agree, and the current packaging is like this. fusermount-glusterfs is
not suid root.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Steve Beattie]

I'm working on the Security review of GlusterFS, which I have not quite
completed, but to offer a comment on fusermount-glusterfs binary, the
Security team would strongly prefer to not have another setuid binary
for this; the original setuid fusermount has had its own security
history and we would not like to see a forked version that has unknown
tracking of vulnerabilities, especially for something that upstream
considers to be a non-standard usage.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Steve Beattie]

** Changed in: glusterfs (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => Steve Beattie 
(sbeattie)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

An update on this MIR, we might have to drop the armhf builds, see
https://github.com/gluster/glusterfs/issues/2979#issuecomment-1036057298

** Bug watch added: github.com/gluster/glusterfs/issues #2979
   https://github.com/gluster/glusterfs/issues/2979

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: glusterfs (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

I filed an issue asking upstream to consider using the system provided
fuse libraries: https://github.com/gluster/glusterfs/issues/3145

** Bug watch added: github.com/gluster/glusterfs/issues #3145
   https://github.com/gluster/glusterfs/issues/3145

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

I clarified a bit my understsanding of how glusterfs is using fuse. Long
comment below.

TL;DR
gluster uses its own copy of fuse for both the fuse xlator, and the fusermount 
tool (called fusermount-glusterfs). It won't use fuse's fusermount. This also 
means the depdendencies on libfuse-dev (build) and fuse (runtime) could be 
dropped.


There are two aspects to this: fusermount-glusterfs, and the fuse xlator mount 
module.

/usr/bin/fusermount-glusterfs is used when an unprivileged user tries a
mount:

  I [mount.c:496:gf_fuse_mount] 0-glusterfs-fuse: direct mount failed 
(Operation not permitted) errno 1
  I [mount.c:501:gf_fuse_mount] 0-glusterfs-fuse: retry to mount via fusermount

For this to work, two conditions need to be met:
a) the gluster provided /usr/bin/fusermount-glusterfs binary must be built and 
used (the fuse provided one is ignored)
b) it must be installed SUID root, just like fuse's /usr/bin/fusermount

If a privileged user is doing the mount, then gluster uses a direct
mount and fusermount-glusterfs is not used.

Can we then perhaps disable gluster's fusermount, and use the one
provided by fuse (/usr/bin/fusermount), which is installed suid root
already? No. gluster will not even attempt to use the fuse fusermount
command. This then goes down to technical differences between fuse's and
gluster's fusermount, some of which are explained in
https://github.com/gluster/glusterfs/discussions/2212

The Debian and Ubuntu packaging, as is, do not allow unprivileged
mounts, because they ship /usr/bin/fusermount-glusterfs without the SUID
root bit set. It might have been a conscious decision, letting the
sysadmin decide if they want to enable that bit or not, and keep it
during upgrades. Or it's a bug. In any case, they way it is shipped, we
could be using --disable-fusermount and would see no difference in
behavior.

But gluster still uses fuse.

On to the second point.

Both the fusermount-glusterfs binary, and the fuse xlator, use embedded
copies of fuse, in the contrib/ directory. They are not full copies,
just enough to build what is needed.

This also means that there is no need for the libfuse-dev build-dependency on 
the package, and there is also no need for the `fuse` Depends. I built the 
glusterfs packages with this patch applied, and no fuse packages installed on 
the system whatsoever:
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,6 @@ Section: admin
 Priority: optional
 Maintainer: Patrick Matthäi 
 Build-Depends: debhelper-compat (= 13),
- libfuse-dev ,
  libibverbs-dev ,
  libdb-dev ,
  librdmacm-dev ,
@@ -37,7 +36,6 @@ Multi-Arch: foreign
 Depends: ${misc:Depends},
  ${shlibs:Depends},
  ${python3:Depends},
- fuse,
  glusterfs-common (>= ${binary:Version})
 Description: clustered file-system (client package)
  GlusterFS is a clustered file-system capable of scaling to several

It built just fine:
$ dpkg --contents ../glusterfs-client_10.0-2ubuntu1~ppa1_amd64.deb |grep fuse
-rwxr-xr-x root/root 35048 2022-01-13 20:42 ./usr/bin/fusermount-glusterfs
lrwxrwxrwx root/root 0 2022-01-13 20:42 
./usr/share/man/man8/fusermount-glusterfs.8.gz -> mount.glusterfs.8.gz

$ dpkg --contents ../glusterfs-common_10.0-2ubuntu1~ppa1_amd64.deb |grep fuse
-rw-r--r-- root/root243168 2022-01-13 20:42 
./usr/lib/x86_64-linux-gnu/glusterfs/10.0/xlator/mount/fuse.so

$ dpkg -l | grep fuse
$

I will next file an upstream bug to switch to the externally provided
fuse libraries. It may not be possible for the fusermount-glusterfs
case, but that can at least be a build-time decision and is gated on
whether we want to allow unprivileged mounts or not.

Furthermore, I'll file one or two debian bugs to at least have the discussion 
started on these respective issues:
a) remove fuse build-depends and Depends, since they are not needed
b) either disable fusermount-glusterfs, or install it suid root, or leave it as 
is, but document that for it to work the admin needs to chmod u+s that binary 
and use dpkg-statoverride to not lose that during upgrades.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

Upstream is awesome, they have a PR up for being able to use the system
provided lib xxhash instead of the bundled one, if one is found on the
system: https://github.com/gluster/glusterfs/pull/3127

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Christian Ehrhardt ]

** Changed in: glusterfs (Ubuntu)
Milestone: ubuntu-22.02 => ubuntu-22.04-feature-freeze

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Christian Ehrhardt ]

Required for 22.04, setting Critical + Milestone 22.02 (FeatureFreeze)

** Changed in: glusterfs (Ubuntu)
Milestone: None => ubuntu-22.02

** Changed in: glusterfs (Ubuntu)
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

Here is an explanation about fuse's fusermount vs gluster's:
https://github.com/gluster/glusterfs/discussions/2212

"""
Glusterfs cannot use standard fusermount; the choice is either installing and 
using its own variant, or not facilitate unprivileged mounting.
"""

I didn't yet fully understand the details, I'll have to run some
experiments. I have a build without gluster's fusermount.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

I filed https://github.com/gluster/glusterfs/issues/3097 for gluster to
consider switching to the external xxhash library.

** Bug watch added: github.com/gluster/glusterfs/issues #3097
   https://github.com/gluster/glusterfs/issues/3097

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

I'll file an upstream bug asking if they can switch to the upstream
xxhash, and experiment a bit with building the glusterfs package with
the option to use the system's fusermount command.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1950321] Re: [MIR] glusterfs

[Christian Ehrhardt ]

On Tue, Jan 4, 2022 at 9:25 PM Andreas Hasenack
<1950...@bugs.launchpad.net> wrote:
>
> I did some investigation in all of the contrib/ directories:

Thanks for that investigation, it seems most of them are unused or
really only a minor concern.
The two more interesting according to your analysis IMHO are xxhash and fuse.

We have libfuse3-3 in main (and fuse3 can follow once depended on,
currently as you
know there is a fuse2->fuse3 move).
Also libxxhash0 is in main since Hirsute.
So going forward if we can make glusterfs use those two from the
system that would
clearly eliminate the biggest chunks of embedded code concerns I'd think.

I'm not sure this works, I'm saying those two seem to be good
candidates to have a deeper look at.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

I did some investigation in all of the contrib/ directories:

[Embedded Sources]

[contrib/xxhash]
- https://github.com/Cyan4973/xxHash
- devel ML thread discussing its inclusion: 
http://lists.gluster.org/pipermail/gluster-devel/2017-June/053173.html
- mailing list thread said back then the linux distros didn't have xxhash 
packaged. We have it since bionic (so 2018)
- it claims the usage is not cryptographic
- we have it in ubuntu main (https://launchpad.net/ubuntu/+source/xxhash)
- version in jammy is 0.8.0, upstream is 0.8.1
- embedded version in glusterfs is 0.6.5, from April 2018 
(https://github.com/Cyan4973/xxHash/releases/tag/v0.6.5)
- pinged upstream about it in slack 
(https://gluster.slack.com/archives/CHVRH5D50/p1641316163090300)
- -I xxhash.h includes the .c file too, inline:
#if defined(XXH_INLINE_ALL) || defined(XXH_PRIVATE_API)
#  include "xxhash.c"   /* include xxhash function bodies as `static`, for 
inlining */
#endif

[contrib/umountd]
- not used on linux

[contrib/userspace-rcu]
- only used if the system has an old liburcu (<= 0.7). Ubuntu jammy has 0.8
PKG_CHECK_MODULES([URCU_CDS], [liburcu-cds >= 0.8], [],
  [PKG_CHECK_MODULES([URCU_CDS], [liburcu-cds >= 0.7],
[AC_DEFINE(URCU_OLD, 1, [Define if liburcu 0.6 or 0.7 is found])
 USE_CONTRIB_URCU='yes'],
[AC_CHECK_HEADERS([urcu/cds.h],
  [AC_DEFINE(URCU_OLD, 1, [Define if liburcu 0.6 or 0.7 is found])
   URCU_CDS_LIBS='-lurcu-cds'
   USE_CONTRIB_URCU='yes'],
  [AC_MSG_ERROR([liburcu-cds not found])])])])

And we get in config.h after a build:
$ grep URCU_OLD config.h -B1
/* Define if liburcu 0.6 or 0.7 is found */
/* #undef URCU_OLD */

That being said, the build command lines still pass
"-I../../../../contrib/userspace-rcu" regardless


[contrib/timer-wheel]
- seems to have come from the linux kernel: linux/kernel/timer.c and others

[contrib/rbtree]
- comes from http://savannah.gnu.org/projects/avl
- version 2.0.3, last updated in 2007


[mount/]
- not used in linux: #if !defined(GF_LINUX_HOST_OS)

[contrib/macfuse]
- only used in macos/darwing


[contrib/libgen]
- basename_r.c: copied from glibc-2.12.1/string/basename.c, with modifications
- dirname_r.c: copied from glibc-2.12.1/string/memrchr.c and 
glibc-2.12.1/misc/dirname.c, with modifications

[contrib/libexecinfo]
- not used, because we define HAVE_BACKTRACE:
$ grep HAVE_BACKTRACE config.h -B1
/* define if found backtrace */
#define HAVE_BACKTRACE 1

And:
$ grep HAVE_BACKTRACE contrib/libexecinfo/*
contrib/libexecinfo/execinfo.c:#ifndef HAVE_BACKTRACE
contrib/libexecinfo/execinfo_compat.h:#ifndef HAVE_BACKTRACE


[contrib/fuse-util]
- builds fusermount
- system's fusermount is suid root, and comes from the `fuse` package
- there is a configure option to use the system's fusermount, disabling this 
built-in copy, but it's not used in the packaging,

[contrib/fuse-lib]
- file has origin declaration and list of changes:
 * These functions (and gf_fuse_umount() in mount.c)
 * were originally taken from libfuse as of commit 7960e99e
 * 
(http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=7960e99e)
 * almost verbatim. What has been changed upon adoption:
...

[contrib/fuse-include]
- counterpart header files for the rest of the fuse contrib directories

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

> - State a plan of how you will stay on top of the embedded sources (security
>  issues, updates, ...)

I'll do this analysis in parallel

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Christian Ehrhardt ]

Thereby the required TODOs are done AFAICS.
Feel free to add more of the recommended steps,
but until then this is New@ubuntu-security as it is waiting for the review.

** Changed in: glusterfs (Ubuntu)
   Status: Incomplete => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

Debian adopted the dep8 test, and the package is in sync again.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

A DEP8 test was added and uploaded to jammy, and it migrated already.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Lukas Märdian]

Review for Package: src:glusterfs

[Summary]
This is a big piece of software and might have quite some security implications
(embedded sources, root daemon, regex parsing, lintian warnings,
openssl3 warnings, ...) but I'll leave this to the security-team to judge on.
It is really unfortunate that it does not currently contain any automated
testing. Thanks for starting the work on a DEP-8 test already, we absolutely
need this! In addition it should be further investigated if the unit-tests can
be run at build time or if we can setup similar test as the upstream CI that
run during build. Having unit tests + DEP-8 would make me feel much more
confortable in ACKing this, but I guess having at least one of them is the bare
minimum.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main:
glusterfs-cli, glusterfs-client, glusterfs-common, glusterfs-server, libgfapi0,
libgfchangelog0, libgfrpc0, libgfxdr0, libglusterd0, libglusterfs-dev,
libglusterfs0
Specific binary packages built, but NOT to be promoted to main: 

Required TODOs:
- Implement & upload the proposed autopkgtests (+ try to get them into Debian):
  Thanks for starting the work on this already!
  https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1954452
- State a plan of how you will stay on top of the embedded sources (security
  issues, updates, ...)

Recommended TODOs:
- The package should get a team bug subscriber before being promoted
- try to enable the unittests (BUILD_UNITTEST="no" in configure.ac) at buildtime
- Work with upstream to resolve the build time warnings
- Work with Debian to clean up the lintian warnings & overrides

[Duplication]
There is no other package in main providing the same functionality.
There are some parallels to Ceph, as a scale-out storage solution, but the
usecases are quite a bit different (object storage in a full cloud environment
vs HA file storage), so I'm not considering this a duplication of functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - checked with check-mir
  - not listed in seeded-in-ubuntu
  - none of the (potentially auto-generated) dependencies (Depends
 and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard

Problems:
- Some embedded sources present (like xxhash, libexecinfo, ...) in contrib/

[Security]
OK:
- history of CVEs does not look concerning (there are plenty of CVEs, but the
  situation seems to have become much better since 2018, only one CVE in 2019
  since then)
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- does run a daemon as root
- does open a port/socket
- does some regex parsing in libglusterfs/src/parse-utils.c

[Common blockers]
OK:
- does not FTBFS currently
- if special HW does prevent build/autopkgtest is there a test plan, code,
  log provided? – not needed
- if a non-trivial test on this level does not make sense (the lib alone
  is only doing rather simple things), is the overall solution (app+libs)
  extensively covered i.e. via end to end autopkgtest ? – not needed
- no new python2 dependency
- Python package, but using dh_python (some parts of it)
- NO Go package

Problems:
- does NOT have a test suite that runs at build time
- does NOT have a non-trivial test suite that runs as autopkgtest:
  https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1954452

[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
  control
- symbols tracking is in place (using dh_makeshlibs -VUpstream-Version)
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- d/rules is rather clean
- It is not on the lto-disabled list

Problems:
- some Lintian warnings
  (especially the no-symbols-control-file & hardening-no-fortify-functions)

[Upstream red flags]
OK:
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec (usage is OK inside tests)
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
  => some cra

[Bug 1950321] Re: [MIR] glusterfs

[Christian Ehrhardt ]

** Changed in: glusterfs (Ubuntu)
 Assignee: (unassigned) => Lukas Märdian (slyon)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

I'm adding a DEP8 test to glusterfs here:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1954452

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1950321

Title:
  [MIR] glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1950321] Re: [MIR] glusterfs

[Andreas Hasenack]

** Description changed:

- Placeholder for new MIR attempt for glusterfs. Old MIR is bug #1274247
+ Old MIR is bug #1274247
+ 
+ (launchpad will definitely wrap these lines and break the formatting: if
+ you want, I can post this content elsewhere, like a git repo)
+ 
+ [Availability]
+ The package glusterfs is already in Ubuntu universe.
+ The package glusterfs build for the architectures it is designed to work on.
+ It currently builds and works for architetcures: amd64 arm64 armhf ppc64el 
riscv64 s390x
+ 
+ Link to package https://launchpad.net/ubuntu/+source/glusterfs
+ 
+ [Rationale]
+ The package glusterfs is required in Ubuntu main for:
+ - The package glusterfs will generally be useful for a large part of
+   our user base
+ - Additionally new use-cases enabled by this are:
+   - samba clustering support (we carry a packaging delta to disable it in 
Ubuntu)
+   - qemu native glusterfs support (bug #1246924)
+ 
+ [Security]
+ For the security review, consider the points raised last time this was done, 
in 2014, when the first MIR was rejected:
+ 
+ https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1274247/comments/14
+ 
+ cppcheck issues were fixed:
+ https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1274247/comments/19
+ https://bugzilla.redhat.com/show_bug.cgi?id=1086460
+ 
+ 
+ There are some strncat warnings during build, like these:
+ In file included from /usr/include/string.h:519,
+  from ../../../../libglusterfs/src/glusterfs/glusterfs.h:15,
+  from trash.h:13,
+  from trash.c:10:
+ In function ‘strncat’,
+ inlined from ‘trash_truncate_mkdir_cbk’ at trash.c:1730:13:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:135:10: warning: 
‘__strncat_chk’ output may be truncated copying between 0 and 4095 bytes from a 
string of length 4095 [-Wstringop-truncation]
+   135 |   return __builtin___strncat_chk (__dest, __src, __len,
+   |  ^~
+   136 |   __glibc_objsize (__dest));
+   |   ~
+ 
+ 
+ and
+ 
+ In file included from /usr/include/string.h:519,
+  from ../../../../libglusterfs/src/glusterfs/glusterfs.h:15,
+  from glusterd-utils.c:23:
+ In function ‘strncat’,
+ inlined from ‘glusterd_add_peers_to_auth_list’ at 
glusterd-utils.c:14997:27:
+ /usr/include/x86_64-linux-gnu/bits/string_fortified.h:135:10: warning: 
‘strncat’ specified bound depends on the length of the source argument 
[-Wstringop-overflow=]
+   135 |   return __builtin___strncat_chk (__dest, __src, __len,
+   |  ^~
+   136 |   __glibc_objsize (__dest));
+   |   ~
+ 
+ 
+ - http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=glusterfs
+ Plenty of vulnerabilities, but the most recent affected version is 4.1.4. 
Bionic ships 3.13.2, and focal has 7.2 already. Jammy is on 10.0 (proposed)
+ 
+ - site:www.openwall.com/lists/oss-security glusterfs
+ Previously mentioned CVEs
+ No hits more recent than 2018. One from 2020, but about 
kube-controller-manager, which can affect storage volume types and glusterfs is 
in the list.
+ 
+ - 
https://ubuntu.com/security/cve?q=glusterfs&package=&priority=&version=&status=
+ Plenty of CVEs, but note that from Focal onwards we are not affected
+ 
+ - https://github.com/gluster/glusterdocs/security
+ Unclear if this is used. The advisories tab is empty.
+ 
+ In general, it looks like that was a good shift to having a more secure
+ product, when compared to older versions, at least in terms of CVEs and
+ advisories.
+ 
+ 
+ - no `suid` or `sgid` binaries
+ - plenty of executables in `/sbin` and `/usr/sbin`
+ - Package installs services:
+ -rw-r--r--   1 root root   604 Nov 25 13:38 
/lib/systemd/system/glusterd.service
+ -rw-r--r--   1 root root   416 Nov 25 13:38 
/lib/systemd/system/glustereventsd.service
+ 
+ glusterd runs as root and opens port 24007/tcp:
+ root 650  0.0  0.8 463484 16948 ?SLsl 13:07   0:00 
/usr/sbin/glusterd -p /var/run/glusterd.pid --log-level INFO
+ 
+ glusterfsd runs as root, and has port 51886/tcp open in the port list further 
below, but no dedicated service file for it. It must be spawned on demand:
+ root 879  0.0  0.9 678344 18976 ?SLsl 13:07   0:00 
/usr/sbin/glusterfsd -s j3-gluster --volfile-id gv0.j3-gluster.data-brick1-gv0 
-p /var/run/gluster/vols/gv0/j3-gluster-data-brick1-gv0.pid -S 
/var/run/gluster/151590e8a4cfce4e.socket --brick-name /data/brick1/gv0 -l 
/var/log/glusterfs/bricks/data-brick1-gv0.log --xlator-option 
*-posix.glusterd-uuid=039bb0cb-e8ae-4109-80c4-1680c0900046 --process-name brick 
--brick-port 51886 --xlator-option gv0-server.listen-port=51886
+ 
+ glusterfs runs as root.
+ On the server:
+ root 890  0.0  0.6 59