[nfs-utils] Updated to latest upstream RC release: nfs-utils.1.2.7-rc1
Steve Dickson
steved at fedoraproject.org
Tue May 29 19:20:32 UTC 2012
commit d9bf18f2883ec864668ea0897f633e6cde51991e
Author: Steve Dickson <steved at redhat.com>
Date: Tue May 29 15:10:34 2012 -0400
Updated to latest upstream RC release: nfs-utils.1.2.7-rc1
Signed-off-by: Steve Dickson <steved at redhat.com>
nfs-utils.1.2.7-rc1.patch | 478 +++++++++++++++++++++++++++++++++++++++++++++
nfs-utils.spec | 9 +-
2 files changed, 484 insertions(+), 3 deletions(-)
---
diff --git a/nfs-utils.1.2.7-rc1.patch b/nfs-utils.1.2.7-rc1.patch
new file mode 100644
index 0000000..f0167d8
--- /dev/null
+++ b/nfs-utils.1.2.7-rc1.patch
@@ -0,0 +1,478 @@
+commit eae2fa997223ce0edb4218faf2ff67165535d21d
+Author: J. Bruce Fields <bfields at redhat.com>
+Date: Tue May 29 14:40:38 2012 -0400
+
+ mountd: Honor the no_root_squash flag on pseudo roots
+
+ From: "J. Bruce Fields" <bfields at redhat.com>
+
+ If root squashing is turned off on a export that
+ has multiple directories, the parent directories
+ of the pseudo exports that's built, also needs to
+ have root squashing turned off.
+
+ Tested-by: Steve Dickson <steved at redhat.com>
+ Signed-off-by: Steve Dickson <steved at redhat.com>
+
+diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
+index 708eb61..726b50d 100644
+--- a/utils/mountd/v4root.c
++++ b/utils/mountd/v4root.c
+@@ -62,6 +62,8 @@ void set_pseudofs_security(struct exportent *pseudo, struct exportent *source)
+
+ if (source->e_flags & NFSEXP_INSECURE_PORT)
+ pseudo->e_flags |= NFSEXP_INSECURE_PORT;
++ if ((source->e_flags & NFSEXP_ROOTSQUASH) == 0)
++ pseudo->e_flags &= ~NFSEXP_ROOTSQUASH;
+ for (se = source->e_secinfo; se->flav; se++) {
+ struct sec_entry *new;
+
+@@ -92,7 +94,8 @@ v4root_create(char *path, nfs_export *export)
+ exp = export_create(&eep, 0);
+ if (exp == NULL)
+ return NULL;
+- xlog(D_CALL, "v4root_create: path '%s'", exp->m_export.e_path);
++ xlog(D_CALL, "v4root_create: path '%s' flags 0x%x",
++ exp->m_export.e_path, exp->m_export.e_flags);
+ return &exp->m_export;
+ }
+
+
+commit b66c96de551b650680a65a732a1338c3ec25b436
+Author: Adam Sampson <ats at offog.org>
+Date: Tue May 29 14:37:22 2012 -0400
+
+ nsm_client: nsm_client needs to link with libtirpc
+
+ nsm_client needs to link against libtirpc.
+
+ Signed-off-by: Steve Dickson <steved at redhat.com>
+
+diff --git a/tests/nsm_client/Makefile.am b/tests/nsm_client/Makefile.am
+index 4bf0a45..4c15346 100644
+--- a/tests/nsm_client/Makefile.am
++++ b/tests/nsm_client/Makefile.am
+@@ -13,7 +13,7 @@ nsm_client_SOURCES = $(GENFILES) nsm_client.c
+
+ BUILT_SOURCES = $(GENFILES)
+ nsm_client_LDADD = ../../support/nfs/libnfs.a \
+- ../../support/nsm/libnsm.a $(LIBCAP)
++ ../../support/nsm/libnsm.a $(LIBCAP) $(LIBTIRPC)
+
+ if CONFIG_RPCGEN
+ RPCGEN = $(top_builddir)/tools/rpcgen/rpcgen
+
+commit 0781cf2a60dbb0d8997c4abef103d80f819cd16f
+Author: Steve Dickson <steved at redhat.com>
+Date: Tue May 29 14:31:57 2012 -0400
+
+ Updated the version number.
+
+ Signed-off-by: Steve Dickson <steved at redhat.com>
+
+diff --git a/README b/README
+index 348f5d4..e55b2dd 100644
+--- a/README
++++ b/README
+@@ -1,4 +1,4 @@
+-This is version 1.1.0 of nfs-utils, the Linux NFS utility package.
++This is version 1.2.6 of nfs-utils, the Linux NFS utility package.
+
+
+ 0. PROJECT RESOURCES
+
+commit 43537ecbc1ab3ae7cefe5d47e7e03b14bf428197
+Author: Steve Dickson <steved at redhat.com>
+Date: Tue May 29 14:27:24 2012 -0400
+
+ nfsidmap: Allow verbosity level to be set in the config file
+
+ To make it easier to enable ID mapping debugging, nfsidmap
+ should read /etc/idmap.conf to see if the verbosity level
+ is set, similar to what rpc.idmapd does
+
+ Signed-off-by: Steve Dickson <steved at redhat.com>
+
+diff --git a/utils/nfsidmap/nfsidmap.c b/utils/nfsidmap/nfsidmap.c
+index cf11551..b767395 100644
+--- a/utils/nfsidmap/nfsidmap.c
++++ b/utils/nfsidmap/nfsidmap.c
+@@ -12,6 +12,7 @@
+
+ #include <unistd.h>
+ #include "xlog.h"
++#include "conffile.h"
+
+ int verbose = 0;
+ char *usage="Usage: %s [-v] [-c || [-u|-g|-r key] || [-t timeout] key desc]";
+@@ -26,12 +27,27 @@ char *usage="Usage: %s [-v] [-c || [-u|-g|-r key] || [-t timeout] key desc]";
+ #define DEFAULT_KEYRING "id_resolver"
+ #endif
+
++#ifndef PATH_IDMAPDCONF
++#define PATH_IDMAPDCONF "/etc/idmapd.conf"
++#endif
++
+ static int keyring_clear(char *keyring);
+
+ #define UIDKEYS 0x1
+ #define GIDKEYS 0x2
+
+ /*
++ * Check to the config file for the verbosity level
++ */
++int
++get_config_verbose(char *path)
++{
++ conf_path = path;
++ conf_init();
++ return conf_get_num("General", "Verbosity", 0);
++}
++
++/*
+ * Find either a user or group id based on the name at domain string
+ */
+ int id_lookup(char *name_at_domain, key_serial_t key, int type)
+@@ -266,7 +282,9 @@ int main(int argc, char **argv)
+ break;
+ }
+ }
+-
++ if (!verbose) {
++ verbose = get_config_verbose(PATH_IDMAPDCONF);
++ }
+ if (keystr) {
+ rc = key_revoke(keystr, keymask);
+ return rc;
+
+commit 1ca82a963ace17397bd7ec09f5e0707badd7c254
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Tue May 29 14:23:18 2012 -0400
+
+ statd: drop all capabilities from the bounding set as well
+
+ statd drops all capabilities except for CAP_NET_BIND when it starts.
+ It's possible though that if it ever had a compromise that an attacker would
+ be able to invoke a setuid process (or something with file capabilities) in
+ order to reinstate some caps.
+
+ This could happen as a result of the daemon becoming compromised, or
+ possibly as a result of the ha-callout program becoming compromised.
+
+ In order to prevent that, have statd also prune the capability bounding
+ set to nothing prior to dropping capabilities. That ensures that the
+ process won't be able to reacquire capabilities via any means --
+ including exec'ing a setuid program.
+
+ We do however need to be cognizant of the fact that PR_CAPBSET_DROP was
+ only added in 2.6.25, so check to make sure that #define exists via
+ autoconf before we rely on it. In order to do that, we must add
+ ax_check_define.m4 from the GNU autoconf macro archive.
+
+ Furthermore, do a runtime check to see if /proc/sys/kernel/cap-bound
+ exists before attempting to clear the bounding set. If it does, then
+ don't bother trying since it won't work. In that event though, do
+ throw a warning however since the presence of that file indicates that
+ there is a disconnect between the build and runtime environments.
+
+ Acked-by: Chuck Lever <chuck.lever at oracle.com>
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve Dickson <steved at redhat.com>
+
+diff --git a/support/nsm/file.c b/support/nsm/file.c
+index 5dd52c1..5476446 100644
+--- a/support/nsm/file.c
++++ b/support/nsm/file.c
+@@ -338,10 +338,10 @@ nsm_is_default_parentdir(void)
+ *
+ * Returns true if successful, or false if some error occurred.
+ */
++#ifdef HAVE_SYS_CAPABILITY_H
+ static _Bool
+ nsm_clear_capabilities(void)
+ {
+-#ifdef HAVE_SYS_CAPABILITY_H
+ cap_t caps;
+
+ caps = cap_from_text("cap_net_bind_service=ep");
+@@ -357,10 +357,60 @@ nsm_clear_capabilities(void)
+ }
+
+ (void)cap_free(caps);
+-#endif
+ return true;
+ }
+
++#define CAP_BOUND_PROCFILE "/proc/sys/kernel/cap-bound"
++static _Bool
++prune_bounding_set(void)
++{
++#ifdef PR_CAPBSET_DROP
++ int ret;
++ unsigned long i;
++ struct stat st;
++
++ /*
++ * Prior to kernel 2.6.25, the capabilities bounding set was a global
++ * value. Check to see if /proc/sys/kernel/cap-bound exists and don't
++ * bother to clear the bounding set if it does.
++ */
++ ret = stat(CAP_BOUND_PROCFILE, &st);
++ if (!ret) {
++ xlog(L_WARNING, "%s exists. Not attempting to clear "
++ "capabilities bounding set.",
++ CAP_BOUND_PROCFILE);
++ return true;
++ } else if (errno != ENOENT) {
++ /* Warn, but attempt to clear the bounding set anyway. */
++ xlog(L_WARNING, "Unable to stat %s: %m", CAP_BOUND_PROCFILE);
++ }
++
++ /* prune the bounding set to nothing */
++ for (i = 0; i <= CAP_LAST_CAP; ++i) {
++ ret = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
++ if (ret) {
++ xlog(L_ERROR, "Unable to prune capability %lu from "
++ "bounding set: %m", i);
++ return false;
++ }
++ }
++#endif /* PR_CAPBSET_DROP */
++ return true;
++}
++#else /* !HAVE_SYS_CAPABILITY_H */
++static _Bool
++nsm_clear_capabilities(void)
++{
++ return true;
++}
++
++static _Bool
++prune_bounding_set(void)
++{
++ return true;
++}
++#endif /* HAVE_SYS_CAPABILITY_H */
++
+ /**
+ * nsm_drop_privileges - drop root privileges
+ * @pidfd: file descriptor of a pid file
+@@ -393,6 +443,9 @@ nsm_drop_privileges(const int pidfd)
+ return false;
+ }
+
++ if (!prune_bounding_set())
++ return false;
++
+ if (st.st_uid == 0) {
+ xlog_warn("Running as root. "
+ "chown %s to choose different user", nsm_base_dirname);
+
+commit ddb095f82becc94c8e3a2429cc755dee5d1808c9
+Author: Diego Elio Pettenò <flameeyes at flameeyes.eu>
+Date: Tue May 29 14:15:32 2012 -0400
+
+ build: avoid AM_CONDITIONAL in conditional execution.
+
+ Automake does not support conditional AM_CONDITIONAL calls; what that
+ means is that you always have to execute AM_CONDITIONAL one way or the
+ other. Both the libsqlite3.m4 file and the nfsdcld conditionals are
+ executed only when NFSv4 is enabled, which breaks building with
+ --disable-nfsv4.
+
+ Remove the SQLite3 conditional altogether as it's never used, and move
+ the nfsdcld conditional outside of the conditional code.
+
+ Acked-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Diego Elio Pettenò <flameeyes at flameeyes.eu>
+ Signed-off-by: Steve Dickson <steved at redhat.com>
+
+diff --git a/aclocal/libsqlite3.m4 b/aclocal/libsqlite3.m4
+index 73d1e46..8c38993 100644
+--- a/aclocal/libsqlite3.m4
++++ b/aclocal/libsqlite3.m4
+@@ -29,5 +29,4 @@ AC_DEFUN([AC_SQLITE3_VERS], [
+ LIBS="$saved_LIBS"])
+
+ AC_MSG_RESULT($libsqlite3_cv_is_recent)
+- AM_CONDITIONAL(CONFIG_SQLITE3, [test "$libsqlite3_cv_is_recent" = "yes"])
+ ])dnl
+diff --git a/configure.ac b/configure.ac
+index 9ba53e2..b408f1b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -278,8 +278,6 @@ if test "$enable_nfsv4" = yes; then
+ fi
+ fi
+
+- AM_CONDITIONAL(CONFIG_NFSDCLD, [test "$enable_nfsdcld" = "yes" ])
+-
+ dnl librpcsecgss already has a dependency on libgssapi,
+ dnl but we need to make sure we get the right version
+ if test "$enable_gss" = yes; then
+@@ -293,6 +291,7 @@ if test "$enable_nfsv41" = yes; then
+ fi
+
+ dnl enable nfsidmap when its support by libnfsidmap
++AM_CONDITIONAL(CONFIG_NFSDCLD, [test "$enable_nfsdcld" = "yes" ])
+ AM_CONDITIONAL(CONFIG_NFSIDMAP, [test "$ac_cv_header_keyutils_h$ac_cv_lib_nfsidmap_nfs4_owner_to_uid" = "yesyes"])
+
+
+
+commit 7e9c0f760397d7e8fa78bdeefffc14eb8269925b
+Author: Jeff Layton <jlayton at redhat.com>
+Date: Tue May 29 13:53:09 2012 -0400
+
+ autoconf: make the test for prctl have an effect
+
+ We currently test to ensure that prctl() is available, but the results
+ of that test are a no-op either way. statd calls prctl()
+ unconditionally, so make configure bail out if prctl() isn't available
+ since the build will fail in that event anyway.
+
+ Cc: Chuck Lever <chuck.lever at oracle.com>
+ Signed-off-by: Jeff Layton <jlayton at redhat.com>
+ Signed-off-by: Steve Dickson <steved at redhat.com>
+
+diff --git a/aclocal/libcap.m4 b/aclocal/libcap.m4
+index 68a624c..f8a0ed1 100644
+--- a/aclocal/libcap.m4
++++ b/aclocal/libcap.m4
+@@ -3,7 +3,7 @@ dnl
+ AC_DEFUN([AC_LIBCAP], [
+
+ dnl look for prctl
+- AC_CHECK_FUNC([prctl], , )
++ AC_CHECK_FUNC([prctl], , AC_MSG_ERROR([prctl syscall is not available]))
+
+ AC_ARG_ENABLE([caps],
+ [AS_HELP_STRING([--disable-caps], [Disable capabilities support])])
+
+commit 646be42c84305d02dea06113cc9e6c9a7ab94f8a
+Author: Steve Dickson <steved at redhat.com>
+Date: Thu May 17 08:16:29 2012 -0400
+
+ Makefile.am: Corrected a misspelling of overridden
+
+ Signed-off-by: Steve Dickson <steved at redhat.com>
+
+diff --git a/utils/mount/Makefile.am b/utils/mount/Makefile.am
+index 7627854..5810936 100644
+--- a/utils/mount/Makefile.am
++++ b/utils/mount/Makefile.am
+@@ -1,7 +1,7 @@
+ ## Process this file with automake to produce Makefile.in
+
+ # These binaries go in /sbin (not /usr/sbin), and that cannot be
+-# overriden at config time.
++# overridden at config time.
+ sbindir = /sbin
+
+ man8_MANS = mount.nfs.man umount.nfs.man
+
+commit d4d392087f8ee049ed8f476e5ae780cbc0d0012a
+Author: NeilBrown <neilb at suse.de>
+Date: Thu May 17 08:14:57 2012 -0400
+
+ osd_login - ensure /sbin is created before installation.
+
+ If we use a more standard approach to describing the osd_login
+ script, the automake infrastructure will create /sbin before
+ attempting installation.
+ This is important for: make DESTDIR=/empty-dir install
+
+ Signed-off-by: NeilBrown <neilb at suse.de>
+ Signed-off-by: Steve Dickson <steved at redhat.com>
+
+diff --git a/utils/osd_login/Makefile.am b/utils/osd_login/Makefile.am
+index adc493a..20c2d8c 100644
+--- a/utils/osd_login/Makefile.am
++++ b/utils/osd_login/Makefile.am
+@@ -1,12 +1,9 @@
+ ## Process this file with automake to produce Makefile.in
+
+-OSD_LOGIN_FILES= osd_login
++# These binaries go in /sbin (not /usr/sbin), and that cannot be
++# overridden at config time.
++sbindir = /sbin
+
+-EXTRA_DIST= $(OSD_LOGIN_FILES)
+-
+-all-local: $(OSD_LOGIN_FILES)
+-
+-install-data-hook:
+- $(INSTALL) --mode 755 osd_login $(DESTDIR)/sbin/osd_login
++sbin_SCRIPTS = osd_login
+
+ MAINTAINERCLEANFILES = Makefile.in
+
+commit a69f6aeb19841f5a95c3eb4f4e5fe5ca0db247f4
+Author: Jim Rees <rees at umich.edu>
+Date: Tue May 15 10:10:01 2012 -0400
+
+ blkmapd: remove pretty_sig()
+
+ This really only works against EMC servers. There is at least one server
+ that returns unprintable signatures, which fill the log with garbage (the
+ spec does not mandate printable signatures). It could be made more generic,
+ for example by checking each byte for isprint(). But the signatures are
+ really only of interest to developers, not admins, so it seems better to
+ just remove it.
+
+ Signed-off-by: Jim Rees <rees at umich.edu>
+ Signed-off-by: Steve Dickson <steved at redhat.com>
+
+diff --git a/utils/blkmapd/device-process.c b/utils/blkmapd/device-process.c
+index 652a7a8..5fe3dff 100644
+--- a/utils/blkmapd/device-process.c
++++ b/utils/blkmapd/device-process.c
+@@ -49,28 +49,6 @@
+
+ #include "device-discovery.h"
+
+-static char *pretty_sig(char *sig, uint32_t siglen)
+-{
+- static char rs[100];
+- uint64_t sigval;
+- unsigned int i;
+-
+- if (siglen <= sizeof(sigval)) {
+- sigval = 0;
+- for (i = 0; i < siglen; i++)
+- sigval |= ((unsigned char *)sig)[i] << (i * 8);
+- sprintf(rs, "0x%0llx", (unsigned long long) sigval);
+- } else {
+- if (siglen > sizeof rs - 4) {
+- siglen = sizeof rs - 4;
+- sprintf(&rs[siglen], "...");
+- } else
+- rs[siglen] = '\0';
+- memcpy(rs, sig, siglen);
+- }
+- return rs;
+-}
+-
+ uint32_t *blk_overflow(uint32_t * p, uint32_t * end, size_t nbytes)
+ {
+ uint32_t *q = p + ((nbytes + 3) >> 2);
+@@ -109,9 +87,6 @@ static int decode_blk_signature(uint32_t **pp, uint32_t * end,
+ * for mapping, then thrown away.
+ */
+ comp->bs_string = (char *)p;
+- BL_LOG_INFO("%s: si_comps[%d]: bs_length %d, bs_string %s\n",
+- __func__, i, siglen,
+- pretty_sig(comp->bs_string, siglen));
+ p += ((siglen + 3) >> 2);
+ }
+ *pp = p;
+@@ -152,10 +127,6 @@ read_cmp_blk_sig(struct bl_disk *disk, int fd, struct bl_sig_comp *comp)
+ }
+
+ ret = memcmp(sig, comp->bs_string, siglen);
+- if (!ret)
+- BL_LOG_INFO("%s: %s sig %s at %lld\n", __func__, dev_name,
+- pretty_sig(sig, siglen),
+- (long long)comp->bs_offset);
+
+ out:
+ if (sig)
diff --git a/nfs-utils.spec b/nfs-utils.spec
index 3a5a760..574c996 100644
--- a/nfs-utils.spec
+++ b/nfs-utils.spec
@@ -2,7 +2,7 @@ Summary: NFS utilities and supporting clients and daemons for the kernel NFS ser
Name: nfs-utils
URL: http://sourceforge.net/projects/nfs
Version: 1.2.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 1
# group all 32bit related archs
@@ -34,7 +34,7 @@ Source52: nfs-server.postconfig
Source60: nfs4-modalias.conf
-Patch001: 0001-blkmapd-remove-pretty_sig.patch
+Patch001: nfs-utils.1.2.7-rc1.patch
Patch100: nfs-utils-1.2.1-statdpath-man.patch
Patch101: nfs-utils-1.2.1-exp-subtree-warn-off.patch
@@ -293,7 +293,10 @@ fi
%attr(4755,root,root) /sbin/umount.nfs4
%changelog
-* Tue May 29 2012 Steve Dickson <steved at redhat.com> 1.2.6-1
+* Tue May 29 2012 Steve Dickson <steved at redhat.com> 1.2.6-3
+- Updated to latest upstream RC release: nfs-utils.1.2.7-rc1
+
+* Tue May 29 2012 Steve Dickson <steved at redhat.com> 1.2.6-2
* Fixed typo in the checking of nfsnobody (bz 816149)
* Fri May 25 2012 Steve Dickson <steved at redhat.com> 1.2.6-1
More information about the scm-commits
mailing list