[Bug 1950321] Re: [MIR] glusterfs
Now all is in place, but due to all the delay this is now much later than intended. We will prepare the changes to samba and qemu which will pull this in, but given the time I'd feel more comfortable to have a quick release-team FFE-ack. PPA (just started building, lets hope it works as good as it did in the pre-eval long ago): - qemu: https://launchpad.net/~paelzer/+archive/ubuntu/lp-1246924-enable-glusterfs P.S. From the MIR process all info is here already not more needed for an FFE look at this. ** Summary changed: - [MIR] glusterfs + [MIR][FFE] glusterfs -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR][FFE] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
** Changed in: glusterfs (Ubuntu) Assignee: Steve Beattie (sbeattie) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
I reviewed glusterfs 10.1-1 as checked into jammy. This shouldn't be considered a full audit but rather a quick gauge of maintainability. GlusterFS is a clustered network file-system. - CVE History: 27 CVEs, though the most recent are from 2018. Issue resolution looks okay. One or two of the later CVEs were incomplete fixes for earlier issues. - Build-Depends on openssl, libtirpc, libxml2, rdma libs. - Several pre/post inst/rm scripts, dedicated to managing the systemd services, adding/removing a dedicated gluster user, ensuring an initial config file is created, and dealing with compiled python files. Most are generated by debhelper tools and look okay. - No init scripts. - The glusterfs-server package includes to systemd units, to manage the primary GlusterFS daemon and the gluster events notifier service. The GlusterFS daemon does depend on rpcbind services being enabled/started. (The upstream source includes a couple more systemd unit files that are not included in any of the binary packages.) - No dbus services. - No setuid binaries; however, see Andreas' discussion on the fusermount-glusterfs binary. In general, the security team would STRONGLY prefer to not have another setuid binary, especially for what upstream considers a non-standard use case and for one that is a modified version of an existing binary that has had its own history of security problems. - There are several binaries in PATH, mostly as one would expect (the service daemon itself, mount utilities, the events daemon, and some other specialized utilities. - No sudo fragments. - No polkit files. - No udev rules. - Tests: - it has one basic autopkgtest, a smoke test that creates and writes to a mountpoint. - As Andreas noted, there is an unused semblance of unittest infrastructure. There is a wholly unused tests/ subdirectory. It's great that upstream gates on tests passing, but does nothing for us for testing updates/patches we might apply. That's not great. - No cron jobs. - As noted, build logs contain some warnings, some of them somewhat concerning highlighting where string copy operations are performed with a bounds limiter based on the length of the source of the copy rather than the size of the target. Cursory looks indicate that they may not be an issue, and there has been some effort to fix these sorts of things in the upstream github. There's a couple of warnings about not checking the result of calls to setreuid() in contrib/fuse-lib/mount-common.c:59 which just emphasizes again that it would be best to not make the fusermount-glusterfs setuid. Nothing concerning in the lintian warnings, though that the warning of a lack of symbols tracking in the libraries has been silenced is not a great look. (The upstream libraries export a defined set of symbols, but don't make use of symbol versioning, either.) - Processes are spawned in a few locations, but look to be handled safely (outside of testcases). - Lots of fiddly memory management happening, memcpys, strcpys, etc. - File IO is okay. - Logging is complex but okay. - Minimal use of environment variables, mostly for geo-replication, and is okay. - Privileged function use oustide of fuse is okay. - RPC can use tls via libssl, looks okay. - Use of temp files looks to be safe, though TMPDIR is not honored. - As one would expect, significant Use of networking; in general looks okay. - No use of WebKit. - No use of PolicyKit. - No significant cppcheck issues that were not likely false positives. - Coverity reported around 500 issues, but spot checking a few, they appeared to be false positives or things like failing to deallocate memory in a command line tool. Upstream appears to be making fixes based on the public Coverity scanner, so that's good. - shellcheck found some issues, including in xlators/mount/fuse/utils/mount.glusterfs.in which gets installed as /sbin/mount.glusterfs. Not a direct security concern and there is at least some effort to address shellcheck issues upstream. - No significant bandit results. Close to 500 TODO/FIXME type comments which is not a great sign. I investigated the lintian override for the fortify hardening check, and it does appear to be a false positive that is being silenced, and thus okay. In talking with Andreas, I understand the difficulty with trying to get the upstream tests (in particular those driven by the run-tests.sh script) working, but I think it still would be something that would give us far more confidence when performing updates, security or otherwise. It would also be good to clarify explicitly why (debian) symbol versioning is not done, or get it in place. Neither are blockers for acceptance. Overall, there seems to be a marked improvement focusing on quality versus the last time this package was submitted for an MIR. Security team ACK for promoting glusterfs to main. -- You received this bug notifica
[Bug 1950321] Re: [MIR] glusterfs
Just to state it also here and not just in meetings and calls, this is urgent and important for Jammy, so as much asap as you can manage to complete this is appreciated :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
I agree, and the current packaging is like this. fusermount-glusterfs is not suid root. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
I'm working on the Security review of GlusterFS, which I have not quite completed, but to offer a comment on fusermount-glusterfs binary, the Security team would strongly prefer to not have another setuid binary for this; the original setuid fusermount has had its own security history and we would not like to see a forked version that has unknown tracking of vulnerabilities, especially for something that upstream considers to be a non-standard usage. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
** Changed in: glusterfs (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
An update on this MIR, we might have to drop the armhf builds, see https://github.com/gluster/glusterfs/issues/2979#issuecomment-1036057298 ** Bug watch added: github.com/gluster/glusterfs/issues #2979 https://github.com/gluster/glusterfs/issues/2979 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: glusterfs (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
I filed an issue asking upstream to consider using the system provided fuse libraries: https://github.com/gluster/glusterfs/issues/3145 ** Bug watch added: github.com/gluster/glusterfs/issues #3145 https://github.com/gluster/glusterfs/issues/3145 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
I clarified a bit my understsanding of how glusterfs is using fuse. Long comment below. TL;DR gluster uses its own copy of fuse for both the fuse xlator, and the fusermount tool (called fusermount-glusterfs). It won't use fuse's fusermount. This also means the depdendencies on libfuse-dev (build) and fuse (runtime) could be dropped. There are two aspects to this: fusermount-glusterfs, and the fuse xlator mount module. /usr/bin/fusermount-glusterfs is used when an unprivileged user tries a mount: I [mount.c:496:gf_fuse_mount] 0-glusterfs-fuse: direct mount failed (Operation not permitted) errno 1 I [mount.c:501:gf_fuse_mount] 0-glusterfs-fuse: retry to mount via fusermount For this to work, two conditions need to be met: a) the gluster provided /usr/bin/fusermount-glusterfs binary must be built and used (the fuse provided one is ignored) b) it must be installed SUID root, just like fuse's /usr/bin/fusermount If a privileged user is doing the mount, then gluster uses a direct mount and fusermount-glusterfs is not used. Can we then perhaps disable gluster's fusermount, and use the one provided by fuse (/usr/bin/fusermount), which is installed suid root already? No. gluster will not even attempt to use the fuse fusermount command. This then goes down to technical differences between fuse's and gluster's fusermount, some of which are explained in https://github.com/gluster/glusterfs/discussions/2212 The Debian and Ubuntu packaging, as is, do not allow unprivileged mounts, because they ship /usr/bin/fusermount-glusterfs without the SUID root bit set. It might have been a conscious decision, letting the sysadmin decide if they want to enable that bit or not, and keep it during upgrades. Or it's a bug. In any case, they way it is shipped, we could be using --disable-fusermount and would see no difference in behavior. But gluster still uses fuse. On to the second point. Both the fusermount-glusterfs binary, and the fuse xlator, use embedded copies of fuse, in the contrib/ directory. They are not full copies, just enough to build what is needed. This also means that there is no need for the libfuse-dev build-dependency on the package, and there is also no need for the `fuse` Depends. I built the glusterfs packages with this patch applied, and no fuse packages installed on the system whatsoever: --- a/debian/control +++ b/debian/control @@ -3,7 +3,6 @@ Section: admin Priority: optional Maintainer: Patrick Matthäi Build-Depends: debhelper-compat (= 13), - libfuse-dev , libibverbs-dev , libdb-dev , librdmacm-dev , @@ -37,7 +36,6 @@ Multi-Arch: foreign Depends: ${misc:Depends}, ${shlibs:Depends}, ${python3:Depends}, - fuse, glusterfs-common (>= ${binary:Version}) Description: clustered file-system (client package) GlusterFS is a clustered file-system capable of scaling to several It built just fine: $ dpkg --contents ../glusterfs-client_10.0-2ubuntu1~ppa1_amd64.deb |grep fuse -rwxr-xr-x root/root 35048 2022-01-13 20:42 ./usr/bin/fusermount-glusterfs lrwxrwxrwx root/root 0 2022-01-13 20:42 ./usr/share/man/man8/fusermount-glusterfs.8.gz -> mount.glusterfs.8.gz $ dpkg --contents ../glusterfs-common_10.0-2ubuntu1~ppa1_amd64.deb |grep fuse -rw-r--r-- root/root243168 2022-01-13 20:42 ./usr/lib/x86_64-linux-gnu/glusterfs/10.0/xlator/mount/fuse.so $ dpkg -l | grep fuse $ I will next file an upstream bug to switch to the externally provided fuse libraries. It may not be possible for the fusermount-glusterfs case, but that can at least be a build-time decision and is gated on whether we want to allow unprivileged mounts or not. Furthermore, I'll file one or two debian bugs to at least have the discussion started on these respective issues: a) remove fuse build-depends and Depends, since they are not needed b) either disable fusermount-glusterfs, or install it suid root, or leave it as is, but document that for it to work the admin needs to chmod u+s that binary and use dpkg-statoverride to not lose that during upgrades. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
Upstream is awesome, they have a PR up for being able to use the system provided lib xxhash instead of the bundled one, if one is found on the system: https://github.com/gluster/glusterfs/pull/3127 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
** Changed in: glusterfs (Ubuntu) Milestone: ubuntu-22.02 => ubuntu-22.04-feature-freeze -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
Required for 22.04, setting Critical + Milestone 22.02 (FeatureFreeze) ** Changed in: glusterfs (Ubuntu) Milestone: None => ubuntu-22.02 ** Changed in: glusterfs (Ubuntu) Importance: Undecided => Critical -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
Here is an explanation about fuse's fusermount vs gluster's: https://github.com/gluster/glusterfs/discussions/2212 """ Glusterfs cannot use standard fusermount; the choice is either installing and using its own variant, or not facilitate unprivileged mounting. """ I didn't yet fully understand the details, I'll have to run some experiments. I have a build without gluster's fusermount. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
I filed https://github.com/gluster/glusterfs/issues/3097 for gluster to consider switching to the external xxhash library. ** Bug watch added: github.com/gluster/glusterfs/issues #3097 https://github.com/gluster/glusterfs/issues/3097 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
I'll file an upstream bug asking if they can switch to the upstream xxhash, and experiment a bit with building the glusterfs package with the option to use the system's fusermount command. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1950321] Re: [MIR] glusterfs
On Tue, Jan 4, 2022 at 9:25 PM Andreas Hasenack <1950...@bugs.launchpad.net> wrote: > > I did some investigation in all of the contrib/ directories: Thanks for that investigation, it seems most of them are unused or really only a minor concern. The two more interesting according to your analysis IMHO are xxhash and fuse. We have libfuse3-3 in main (and fuse3 can follow once depended on, currently as you know there is a fuse2->fuse3 move). Also libxxhash0 is in main since Hirsute. So going forward if we can make glusterfs use those two from the system that would clearly eliminate the biggest chunks of embedded code concerns I'd think. I'm not sure this works, I'm saying those two seem to be good candidates to have a deeper look at. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
I did some investigation in all of the contrib/ directories: [Embedded Sources] [contrib/xxhash] - https://github.com/Cyan4973/xxHash - devel ML thread discussing its inclusion: http://lists.gluster.org/pipermail/gluster-devel/2017-June/053173.html - mailing list thread said back then the linux distros didn't have xxhash packaged. We have it since bionic (so 2018) - it claims the usage is not cryptographic - we have it in ubuntu main (https://launchpad.net/ubuntu/+source/xxhash) - version in jammy is 0.8.0, upstream is 0.8.1 - embedded version in glusterfs is 0.6.5, from April 2018 (https://github.com/Cyan4973/xxHash/releases/tag/v0.6.5) - pinged upstream about it in slack (https://gluster.slack.com/archives/CHVRH5D50/p1641316163090300) - -I xxhash.h includes the .c file too, inline: #if defined(XXH_INLINE_ALL) || defined(XXH_PRIVATE_API) # include "xxhash.c" /* include xxhash function bodies as `static`, for inlining */ #endif [contrib/umountd] - not used on linux [contrib/userspace-rcu] - only used if the system has an old liburcu (<= 0.7). Ubuntu jammy has 0.8 PKG_CHECK_MODULES([URCU_CDS], [liburcu-cds >= 0.8], [], [PKG_CHECK_MODULES([URCU_CDS], [liburcu-cds >= 0.7], [AC_DEFINE(URCU_OLD, 1, [Define if liburcu 0.6 or 0.7 is found]) USE_CONTRIB_URCU='yes'], [AC_CHECK_HEADERS([urcu/cds.h], [AC_DEFINE(URCU_OLD, 1, [Define if liburcu 0.6 or 0.7 is found]) URCU_CDS_LIBS='-lurcu-cds' USE_CONTRIB_URCU='yes'], [AC_MSG_ERROR([liburcu-cds not found])])])]) And we get in config.h after a build: $ grep URCU_OLD config.h -B1 /* Define if liburcu 0.6 or 0.7 is found */ /* #undef URCU_OLD */ That being said, the build command lines still pass "-I../../../../contrib/userspace-rcu" regardless [contrib/timer-wheel] - seems to have come from the linux kernel: linux/kernel/timer.c and others [contrib/rbtree] - comes from http://savannah.gnu.org/projects/avl - version 2.0.3, last updated in 2007 [mount/] - not used in linux: #if !defined(GF_LINUX_HOST_OS) [contrib/macfuse] - only used in macos/darwing [contrib/libgen] - basename_r.c: copied from glibc-2.12.1/string/basename.c, with modifications - dirname_r.c: copied from glibc-2.12.1/string/memrchr.c and glibc-2.12.1/misc/dirname.c, with modifications [contrib/libexecinfo] - not used, because we define HAVE_BACKTRACE: $ grep HAVE_BACKTRACE config.h -B1 /* define if found backtrace */ #define HAVE_BACKTRACE 1 And: $ grep HAVE_BACKTRACE contrib/libexecinfo/* contrib/libexecinfo/execinfo.c:#ifndef HAVE_BACKTRACE contrib/libexecinfo/execinfo_compat.h:#ifndef HAVE_BACKTRACE [contrib/fuse-util] - builds fusermount - system's fusermount is suid root, and comes from the `fuse` package - there is a configure option to use the system's fusermount, disabling this built-in copy, but it's not used in the packaging, [contrib/fuse-lib] - file has origin declaration and list of changes: * These functions (and gf_fuse_umount() in mount.c) * were originally taken from libfuse as of commit 7960e99e * (http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=7960e99e) * almost verbatim. What has been changed upon adoption: ... [contrib/fuse-include] - counterpart header files for the rest of the fuse contrib directories -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
> - State a plan of how you will stay on top of the embedded sources (security > issues, updates, ...) I'll do this analysis in parallel -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
Thereby the required TODOs are done AFAICS. Feel free to add more of the recommended steps, but until then this is New@ubuntu-security as it is waiting for the review. ** Changed in: glusterfs (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
Debian adopted the dep8 test, and the package is in sync again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
A DEP8 test was added and uploaded to jammy, and it migrated already. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
Review for Package: src:glusterfs [Summary] This is a big piece of software and might have quite some security implications (embedded sources, root daemon, regex parsing, lintian warnings, openssl3 warnings, ...) but I'll leave this to the security-team to judge on. It is really unfortunate that it does not currently contain any automated testing. Thanks for starting the work on a DEP-8 test already, we absolutely need this! In addition it should be further investigated if the unit-tests can be run at build time or if we can setup similar test as the upstream CI that run during build. Having unit tests + DEP-8 would make me feel much more confortable in ACKing this, but I guess having at least one of them is the bare minimum. MIR team ACK under the constraint to resolve the below listed required TODOs and as much as possible having a look at the recommended TODOs. This does need a security review, so I'll assign ubuntu-security List of specific binary packages to be promoted to main: glusterfs-cli, glusterfs-client, glusterfs-common, glusterfs-server, libgfapi0, libgfchangelog0, libgfrpc0, libgfxdr0, libglusterd0, libglusterfs-dev, libglusterfs0 Specific binary packages built, but NOT to be promoted to main: Required TODOs: - Implement & upload the proposed autopkgtests (+ try to get them into Debian): Thanks for starting the work on this already! https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1954452 - State a plan of how you will stay on top of the embedded sources (security issues, updates, ...) Recommended TODOs: - The package should get a team bug subscriber before being promoted - try to enable the unittests (BUILD_UNITTEST="no" in configure.ac) at buildtime - Work with upstream to resolve the build time warnings - Work with Debian to clean up the lintian warnings & overrides [Duplication] There is no other package in main providing the same functionality. There are some parallels to Ceph, as a scale-out storage solution, but the usecases are quite a bit different (object storage in a full cloud environment vs HA file storage), so I'm not considering this a duplication of functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - checked with check-mir - not listed in seeded-in-ubuntu - none of the (potentially auto-generated) dependencies (Depends and Recommends) that are present after build are not in main - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - no static linking - does not have odd Built-Using entries - not a go package, no extra constraints to consider in that regard Problems: - Some embedded sources present (like xxhash, libexecinfo, ...) in contrib/ [Security] OK: - history of CVEs does not look concerning (there are plenty of CVEs, but the situation seems to have become much better since 2018, only one CVE in 2019 since then) - does not use webkit1,2 - does not use lib*v8 directly - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) Problems: - does run a daemon as root - does open a port/socket - does some regex parsing in libglusterfs/src/parse-utils.c [Common blockers] OK: - does not FTBFS currently - if special HW does prevent build/autopkgtest is there a test plan, code, log provided? – not needed - if a non-trivial test on this level does not make sense (the lib alone is only doing rather simple things), is the overall solution (app+libs) extensively covered i.e. via end to end autopkgtest ? – not needed - no new python2 dependency - Python package, but using dh_python (some parts of it) - NO Go package Problems: - does NOT have a test suite that runs at build time - does NOT have a non-trivial test suite that runs as autopkgtest: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1954452 [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control - symbols tracking is in place (using dh_makeshlibs -VUpstream-Version) - d/watch is present and looks ok (if needed, e.g. non-native) - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - d/rules is rather clean - It is not on the lto-disabled list Problems: - some Lintian warnings (especially the no-symbols-control-file & hardening-no-fortify-functions) [Upstream red flags] OK: - no incautious use of malloc/sprintf (as far as we can check it) - no use of sudo, gksu, pkexec (usage is OK inside tests) - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu => some cra
[Bug 1950321] Re: [MIR] glusterfs
** Changed in: glusterfs (Ubuntu) Assignee: (unassigned) => Lukas Märdian (slyon) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
I'm adding a DEP8 test to glusterfs here: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1954452 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950321 Title: [MIR] glusterfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1950321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950321] Re: [MIR] glusterfs
** Description changed: - Placeholder for new MIR attempt for glusterfs. Old MIR is bug #1274247 + Old MIR is bug #1274247 + + (launchpad will definitely wrap these lines and break the formatting: if + you want, I can post this content elsewhere, like a git repo) + + [Availability] + The package glusterfs is already in Ubuntu universe. + The package glusterfs build for the architectures it is designed to work on. + It currently builds and works for architetcures: amd64 arm64 armhf ppc64el riscv64 s390x + + Link to package https://launchpad.net/ubuntu/+source/glusterfs + + [Rationale] + The package glusterfs is required in Ubuntu main for: + - The package glusterfs will generally be useful for a large part of + our user base + - Additionally new use-cases enabled by this are: + - samba clustering support (we carry a packaging delta to disable it in Ubuntu) + - qemu native glusterfs support (bug #1246924) + + [Security] + For the security review, consider the points raised last time this was done, in 2014, when the first MIR was rejected: + + https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1274247/comments/14 + + cppcheck issues were fixed: + https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1274247/comments/19 + https://bugzilla.redhat.com/show_bug.cgi?id=1086460 + + + There are some strncat warnings during build, like these: + In file included from /usr/include/string.h:519, + from ../../../../libglusterfs/src/glusterfs/glusterfs.h:15, + from trash.h:13, + from trash.c:10: + In function ‘strncat’, + inlined from ‘trash_truncate_mkdir_cbk’ at trash.c:1730:13: + /usr/include/x86_64-linux-gnu/bits/string_fortified.h:135:10: warning: ‘__strncat_chk’ output may be truncated copying between 0 and 4095 bytes from a string of length 4095 [-Wstringop-truncation] + 135 | return __builtin___strncat_chk (__dest, __src, __len, + | ^~ + 136 | __glibc_objsize (__dest)); + | ~ + + + and + + In file included from /usr/include/string.h:519, + from ../../../../libglusterfs/src/glusterfs/glusterfs.h:15, + from glusterd-utils.c:23: + In function ‘strncat’, + inlined from ‘glusterd_add_peers_to_auth_list’ at glusterd-utils.c:14997:27: + /usr/include/x86_64-linux-gnu/bits/string_fortified.h:135:10: warning: ‘strncat’ specified bound depends on the length of the source argument [-Wstringop-overflow=] + 135 | return __builtin___strncat_chk (__dest, __src, __len, + | ^~ + 136 | __glibc_objsize (__dest)); + | ~ + + + - http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=glusterfs + Plenty of vulnerabilities, but the most recent affected version is 4.1.4. Bionic ships 3.13.2, and focal has 7.2 already. Jammy is on 10.0 (proposed) + + - site:www.openwall.com/lists/oss-security glusterfs + Previously mentioned CVEs + No hits more recent than 2018. One from 2020, but about kube-controller-manager, which can affect storage volume types and glusterfs is in the list. + + - https://ubuntu.com/security/cve?q=glusterfs&package=&priority=&version=&status= + Plenty of CVEs, but note that from Focal onwards we are not affected + + - https://github.com/gluster/glusterdocs/security + Unclear if this is used. The advisories tab is empty. + + In general, it looks like that was a good shift to having a more secure + product, when compared to older versions, at least in terms of CVEs and + advisories. + + + - no `suid` or `sgid` binaries + - plenty of executables in `/sbin` and `/usr/sbin` + - Package installs services: + -rw-r--r-- 1 root root 604 Nov 25 13:38 /lib/systemd/system/glusterd.service + -rw-r--r-- 1 root root 416 Nov 25 13:38 /lib/systemd/system/glustereventsd.service + + glusterd runs as root and opens port 24007/tcp: + root 650 0.0 0.8 463484 16948 ?SLsl 13:07 0:00 /usr/sbin/glusterd -p /var/run/glusterd.pid --log-level INFO + + glusterfsd runs as root, and has port 51886/tcp open in the port list further below, but no dedicated service file for it. It must be spawned on demand: + root 879 0.0 0.9 678344 18976 ?SLsl 13:07 0:00 /usr/sbin/glusterfsd -s j3-gluster --volfile-id gv0.j3-gluster.data-brick1-gv0 -p /var/run/gluster/vols/gv0/j3-gluster-data-brick1-gv0.pid -S /var/run/gluster/151590e8a4cfce4e.socket --brick-name /data/brick1/gv0 -l /var/log/glusterfs/bricks/data-brick1-gv0.log --xlator-option *-posix.glusterd-uuid=039bb0cb-e8ae-4109-80c4-1680c0900046 --process-name brick --brick-port 51886 --xlator-option gv0-server.listen-port=51886 + + glusterfs runs as root. + On the server: + root 890 0.0 0.6 59