[nfs-utils/f15] Updated to latest upstream release: nfs-utils-1-2-5-rc1
Steve Dickson
steved at fedoraproject.org
Thu Jul 21 19:49:28 UTC 2011
commit 5f2ed5368915cab7c3ebc55da61599ac6faaebd6
Author: Steve Dickson <steved at redhat.com>
Date: Thu Jul 21 15:47:59 2011 -0400
Updated to latest upstream release: nfs-utils-1-2-5-rc1
* Fixed secure mounts (bz719775)
Signed-off-by: Steve Dickson <steved at redhat.com>
nfs-utils.1.2.5-rc1.patch | 216 +++++++++++++++++++++++++++++++++++++++++++++
nfs-utils.spec | 14 ++-
2 files changed, 225 insertions(+), 5 deletions(-)
---
diff --git a/nfs-utils.1.2.5-rc1.patch b/nfs-utils.1.2.5-rc1.patch
new file mode 100644
index 0000000..8d0595a
--- /dev/null
+++ b/nfs-utils.1.2.5-rc1.patch
@@ -0,0 +1,216 @@
+diff -up nfs-utils-1.2.4/aclocal/rpcsec_vers.m4.orig nfs-utils-1.2.4/aclocal/rpcsec_vers.m4
+--- nfs-utils-1.2.4/aclocal/rpcsec_vers.m4.orig 2011-06-30 09:00:42.000000000 -0400
++++ nfs-utils-1.2.4/aclocal/rpcsec_vers.m4 2011-07-21 14:30:55.574408000 -0400
+@@ -1,7 +1,7 @@
+ dnl Checks librpcsec version
+ AC_DEFUN([AC_RPCSEC_VERSION], [
+
+- PKG_CHECK_MODULES([GSSGLUE], [libgssglue >= 0.1])
++ PKG_CHECK_MODULES([GSSGLUE], [libgssglue >= 0.3])
+
+ dnl TI-RPC replaces librpcsecgss
+ if test "$enable_tirpc" = no; then
+diff -up nfs-utils-1.2.4/configure.ac.orig nfs-utils-1.2.4/configure.ac
+--- nfs-utils-1.2.4/configure.ac.orig 2011-07-21 14:30:42.702030000 -0400
++++ nfs-utils-1.2.4/configure.ac 2011-07-21 14:30:55.581408000 -0400
+@@ -264,9 +264,6 @@ if test "$enable_nfsv4" = yes; then
+ dnl check for nfsidmap libraries and headers
+ AC_LIBNFSIDMAP
+
+- dnl enable nfsidmap when its support by libnfsidmap
+- AM_CONDITIONAL(CONFIG_NFSIDMAP, [test "$enable_nfsidmap" = "yes"])
+-
+ dnl check for the keyutils libraries and headers
+ AC_KEYUTILS
+
+@@ -276,6 +273,9 @@ if test "$enable_nfsv4" = yes; then
+ AC_RPCSEC_VERSION
+ fi
+ fi
++dnl enable nfsidmap when its support by libnfsidmap
++AM_CONDITIONAL(CONFIG_NFSIDMAP, [test "$enable_nfsidmap" = "yes"])
++
+
+ if test "$knfsd_cv_glibc2" = no; then
+ AC_CHECK_LIB(bsd, daemon, [LIBBSD="-lbsd"])
+diff -up nfs-utils-1.2.4/support/nfs/exports.c.orig nfs-utils-1.2.4/support/nfs/exports.c
+--- nfs-utils-1.2.4/support/nfs/exports.c.orig 2011-07-21 14:30:42.731028000 -0400
++++ nfs-utils-1.2.4/support/nfs/exports.c 2011-07-21 14:30:55.588408000 -0400
+@@ -784,8 +784,9 @@ struct export_features *get_export_featu
+ fd = open(path, O_RDONLY);
+ if (fd == -1)
+ goto good;
+- fd = read(fd, buf, 50);
+- if (fd == -1)
++ c = read(fd, buf, 50);
++ close(fd);
++ if (c == -1)
+ goto err;
+ c = sscanf(buf, "%x %x", &ef.flags, &ef.secinfo_flags);
+ if (c != 2)
+diff -up nfs-utils-1.2.4/support/nsm/file.c.orig nfs-utils-1.2.4/support/nsm/file.c
+--- nfs-utils-1.2.4/support/nsm/file.c.orig 2011-07-21 14:30:42.722027000 -0400
++++ nfs-utils-1.2.4/support/nsm/file.c 2011-07-21 14:30:55.596409000 -0400
+@@ -396,18 +396,18 @@ nsm_drop_privileges(const int pidfd)
+ return false;
+ }
+
+- if (st.st_uid == 0) {
+- xlog_warn("Running as root. "
+- "chown %s to choose different user", nsm_base_dirname);
+- return true;
+- }
+-
+ if (chdir(nsm_base_dirname) == -1) {
+ xlog(L_ERROR, "Failed to change working directory to %s: %m",
+ nsm_base_dirname);
+ return false;
+ }
+
++ if (st.st_uid == 0) {
++ xlog_warn("Running as root. "
++ "chown %s to choose different user", nsm_base_dirname);
++ return true;
++ }
++
+ /*
+ * If the pidfile happens to reside on NFS, dropping privileges
+ * will probably cause us to lose access, even though we are
+diff -up nfs-utils-1.2.4/utils/gssd/context_lucid.c.orig nfs-utils-1.2.4/utils/gssd/context_lucid.c
+--- nfs-utils-1.2.4/utils/gssd/context_lucid.c.orig 2011-06-30 09:00:42.000000000 -0400
++++ nfs-utils-1.2.4/utils/gssd/context_lucid.c 2011-07-21 14:30:55.602409000 -0400
+@@ -305,7 +305,7 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
+
+ maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
+ if (maj_stat != GSS_S_COMPLETE) {
+- pgsserr("gss_export_lucid_sec_context",
++ pgsserr("gss_free_lucid_sec_context",
+ maj_stat, min_stat, &krb5oid);
+ printerr(0, "WARN: failed to free lucid sec context\n");
+ }
+diff -up nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c.orig nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c
+--- nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c.orig 2011-06-30 09:00:42.000000000 -0400
++++ nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c 2011-07-21 14:30:55.609410000 -0400
+@@ -45,6 +45,7 @@
+ #include "gss_oids.h"
+ #include "err_util.h"
+ #include "svcgssd_krb5.h"
++#include "../mount/version.h"
+
+ #define MYBUFLEN 1024
+
+@@ -169,22 +170,44 @@ svcgssd_limit_krb5_enctypes(void)
+ {
+ #ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+ u_int maj_stat, min_stat;
+- krb5_enctype default_enctypes[] = { ENCTYPE_DES_CBC_CRC,
+- ENCTYPE_DES_CBC_MD5,
+- ENCTYPE_DES_CBC_MD4 };
+- int default_num_enctypes =
+- sizeof(default_enctypes) / sizeof(default_enctypes[0]);
+- krb5_enctype *enctypes;
+- int num_enctypes;
++ krb5_enctype old_kernel_enctypes[] = {
++ ENCTYPE_DES_CBC_CRC,
++ ENCTYPE_DES_CBC_MD5,
++ ENCTYPE_DES_CBC_MD4 };
++ krb5_enctype new_kernel_enctypes[] = {
++ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
++ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
++ ENCTYPE_DES3_CBC_SHA1,
++ ENCTYPE_ARCFOUR_HMAC,
++ ENCTYPE_DES_CBC_CRC,
++ ENCTYPE_DES_CBC_MD5,
++ ENCTYPE_DES_CBC_MD4 };
++ krb5_enctype *default_enctypes, *enctypes;
++ int default_num_enctypes, num_enctypes;
++
++
++ if (linux_version_code() < MAKE_VERSION(2, 6, 35)) {
++ default_enctypes = old_kernel_enctypes;
++ default_num_enctypes =
++ sizeof(old_kernel_enctypes) / sizeof(old_kernel_enctypes[0]);
++ } else {
++ default_enctypes = new_kernel_enctypes;
++ default_num_enctypes =
++ sizeof(new_kernel_enctypes) / sizeof(new_kernel_enctypes[0]);
++ }
+
+ get_kernel_supported_enctypes();
+
+ if (parsed_enctypes != NULL) {
+ enctypes = parsed_enctypes;
+ num_enctypes = parsed_num_enctypes;
++ printerr(2, "%s: Calling gss_set_allowable_enctypes with %d "
++ "enctypes from the kernel\n", __func__, num_enctypes);
+ } else {
+ enctypes = default_enctypes;
+ num_enctypes = default_num_enctypes;
++ printerr(2, "%s: Calling gss_set_allowable_enctypes with %d "
++ "enctypes from defaults\n", __func__, num_enctypes);
+ }
+
+ maj_stat = gss_set_allowable_enctypes(&min_stat, gssd_creds,
+diff -up nfs-utils-1.2.4/utils/mount/version.h.orig nfs-utils-1.2.4/utils/mount/version.h
+--- nfs-utils-1.2.4/utils/mount/version.h.orig 2011-06-30 09:00:42.000000000 -0400
++++ nfs-utils-1.2.4/utils/mount/version.h 2011-07-21 14:30:55.614413000 -0400
+@@ -23,8 +23,8 @@
+ #ifndef _NFS_UTILS_MOUNT_VERSION_H
+ #define _NFS_UTILS_MOUNT_VERSION_H
+
+-#include <stdlib.h>
+-#include <string.h>
++#include <stdio.h>
++#include <limits.h>
+
+ #include <sys/utsname.h>
+
+@@ -37,14 +37,16 @@ static inline unsigned int MAKE_VERSION(
+ static inline unsigned int linux_version_code(void)
+ {
+ struct utsname my_utsname;
+- unsigned int p, q, r;
++ unsigned int p, q = 0, r = 0;
+
++ /* UINT_MAX as backward compatibility code should not be run */
+ if (uname(&my_utsname))
+- return 0;
++ return UINT_MAX;
+
+- p = (unsigned int)atoi(strtok(my_utsname.release, "."));
+- q = (unsigned int)atoi(strtok(NULL, "."));
+- r = (unsigned int)atoi(strtok(NULL, "."));
++ /* UINT_MAX as future versions might not start with an integer */
++ if (sscanf(my_utsname.release, "%u.%u.%u", &p, &q, &r) < 1)
++ return UINT_MAX;
++
+ return MAKE_VERSION(p, q, r);
+ }
+
+diff -up nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man.orig nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man
+--- nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man.orig 2011-06-30 09:00:42.000000000 -0400
++++ nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man 2011-07-21 14:30:55.620410000 -0400
+@@ -25,9 +25,9 @@ will need to be modified so
+ can properly direct the upcall. The following line should be added before a call
+ to keyctl negate:
+ .PP
+-create nfs_idmap * * /usr/sbin/nfsidmap %k %d 600
++create id_resolver * * /usr/sbin/nfsidmap %k %d 600
+ .PP
+-This will direct all nfs_idmap requests to the program
++This will direct all id_resolver requests to the program
+ .I /usr/sbin/nfsidmap
+ The last parameter, 600, defines how many seconds into the future the key will
+ expire. This is an optional parameter for
+@@ -48,9 +48,9 @@ You can choose to handle any of these in
+ generic upcall program. If you would like to use your own program for a uid
+ lookup then you would edit your request-key.conf so it looks similar to this:
+ .PP
+-create nfs_idmap uid:* * /some/other/program %k %d 600
++create id_resolver uid:* * /some/other/program %k %d 600
+ .br
+-create nfs_idmap * * /usr/sbin/nfsidmap %k %d 600
++create id_resolver * * /usr/sbin/nfsidmap %k %d 600
+ .PP
+ Notice that the new line was added above the line for the generic program.
+ request-key will find the first matching line and run the corresponding program.
diff --git a/nfs-utils.spec b/nfs-utils.spec
index 885da44..d65be35 100644
--- a/nfs-utils.spec
+++ b/nfs-utils.spec
@@ -2,7 +2,7 @@ Summary: NFS utilities and supporting clients and daemons for the kernel NFS ser
Name: nfs-utils
URL: http://sourceforge.net/projects/nfs
Version: 1.2.4
-Release: 0%{?dist}
+Release: 1%{?dist}
Epoch: 1
# group all 32bit related archs
@@ -17,6 +17,8 @@ Source13: rpcgssd.init
Source14: rpcsvcgssd.init
Source15: nfs.sysconfig
+Patch001: nfs-utils.1.2.5-rc1.patch
+
Patch100: nfs-utils-1.2.1-statdpath-man.patch
Patch101: nfs-utils-1.2.2-statdpath.patch
Patch102: nfs-utils-1.2.1-exp-subtree-warn-off.patch
@@ -69,9 +71,7 @@ This package also contains the mount.nfs and umount.nfs program.
%prep
%setup -q
-#%patch001 -p1
-#%patch002 -p1
-#%patch003 -p1
+%patch001 -p1
%patch100 -p1
%patch101 -p1
@@ -253,8 +253,12 @@ fi
%attr(4755,root,root) /sbin/umount.nfs4
%changelog
+* Thu Jul 21 2011 Steve Dickson <steved at redhat.com> 1.2.4-1
+- Updated to latest upstream release: nfs-utils-1-2-5-rc1
+ * Fixed secure mounts (bz719775)
+
* Thu Jun 30 2011 Steve Dickson <steved at redhat.com> 1.2.4-0
-- Updated to latest upstream relase: 1.2.4
+- Updated to latest upstream release: 1.2.4
* Fixes CVE-2011-2500 (bz 716950)
* Tue Apr 19 2011 Steve Dickson <steved at redhat.com> 1.2.3-11
More information about the scm-commits
mailing list