diff --git a/SOURCES/nfs-utils-2.3.3-exportfs-root.patch b/SOURCES/nfs-utils-2.3.3-exportfs-root.patch new file mode 100644 index 0000000..4aa4bc1 --- /dev/null +++ b/SOURCES/nfs-utils-2.3.3-exportfs-root.patch @@ -0,0 +1,43 @@ +commit ac266e2edc4f40eef810d52c72657b645e4010db +Author: Ondrej Mosnacek +Date: Tue Apr 6 15:57:37 2021 -0400 + + exportfs: fix unexporting of '/' + + The code that has been added to strip trailing slashes from path in + unexportfs_parsed() forgot to account for the case of the root + directory, which is simply '/'. In that case it accesses path[-1] and + reduces the path to an empty string, which then fails to match any + export. + + Fix it by stopping the stripping when the path is just a single + character - it doesn't matter if it's a '/' or not, we want to keep it + either way in that case. + + Reproducer: + + exportfs localhost:/ + exportfs -u localhost:/ + + Without this patch, the unexport step fails with "exportfs: Could not + find 'localhost:/' to unexport." + + Fixes: a9a7728d8743 ("exportfs: Deal with path's trailing "/" in unexportfs_parsed()") + Link: https://bugzilla.redhat.com/show_bug.cgi?id=1941171 + + Signed-off-by: Ondrej Mosnacek + Signed-off-by: Steve Dickson + +diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c +index 262dd19a..25d757d8 100644 +--- a/utils/exportfs/exportfs.c ++++ b/utils/exportfs/exportfs.c +@@ -383,7 +383,7 @@ unexportfs_parsed(char *hname, char *path, int verbose) + * so need to deal with it. + */ + size_t nlen = strlen(path); +- while (path[nlen - 1] == '/') ++ while ((nlen > 1) && (path[nlen - 1] == '/')) + nlen--; + + for (exp = exportlist[htype].p_head; exp; exp = exp->m_next) { diff --git a/SOURCES/nfs-utils-2.3.3-gssd-k5identity.patch b/SOURCES/nfs-utils-2.3.3-gssd-k5identity.patch new file mode 100644 index 0000000..dd25da4 --- /dev/null +++ b/SOURCES/nfs-utils-2.3.3-gssd-k5identity.patch @@ -0,0 +1,141 @@ +diff -up nfs-utils-2.3.3/nfs.conf.orig nfs-utils-2.3.3/nfs.conf +--- nfs-utils-2.3.3/nfs.conf.orig 2021-04-17 10:49:23.660184527 -0400 ++++ nfs-utils-2.3.3/nfs.conf 2021-04-17 11:14:41.482108562 -0400 +@@ -21,6 +21,7 @@ use-gss-proxy=1 + # keytab-file=/etc/krb5.keytab + # cred-cache-directory= + # preferred-realm= ++# set-home=1 + # + [lockd] + # port=0 +diff -up nfs-utils-2.3.3/systemd/nfs.conf.man.orig nfs-utils-2.3.3/systemd/nfs.conf.man +--- nfs-utils-2.3.3/systemd/nfs.conf.man.orig 2021-04-17 10:49:23.696185472 -0400 ++++ nfs-utils-2.3.3/systemd/nfs.conf.man 2021-04-17 11:14:41.483108588 -0400 +@@ -222,7 +222,8 @@ Recognized values: + .BR rpc-timeout , + .BR keytab-file , + .BR cred-cache-directory , +-.BR preferred-realm . ++.BR preferred-realm , ++.BR set-home . + + See + .BR rpc.gssd (8) +diff -up nfs-utils-2.3.3/utils/gssd/gssd.c.orig nfs-utils-2.3.3/utils/gssd/gssd.c +--- nfs-utils-2.3.3/utils/gssd/gssd.c.orig 2021-04-17 10:49:23.684185157 -0400 ++++ nfs-utils-2.3.3/utils/gssd/gssd.c 2021-04-17 11:14:41.483108588 -0400 +@@ -87,6 +87,8 @@ unsigned int context_timeout = 0; + unsigned int rpc_timeout = 5; + char *preferred_realm = NULL; + char *ccachedir = NULL; ++/* set $HOME to "/" by default */ ++static bool set_home = true; + /* Avoid DNS reverse lookups on server names */ + static bool avoid_dns = true; + static bool use_gssproxy = false; +@@ -885,7 +887,7 @@ sig_die(int signal) + static void + usage(char *progname) + { +- fprintf(stderr, "usage: %s [-f] [-l] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm] [-D]\n", ++ fprintf(stderr, "usage: %s [-f] [-l] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm] [-D] [-H]\n", + progname); + exit(1); + } +@@ -926,6 +928,7 @@ read_gss_conf(void) + preferred_realm = s; + + use_gssproxy = conf_get_bool("gssd", "use-gss-proxy", use_gssproxy); ++ set_home = conf_get_bool("gssd", "set-home", set_home); + } + + int +@@ -946,7 +949,7 @@ main(int argc, char *argv[]) + verbosity = conf_get_num("gssd", "verbosity", verbosity); + rpc_verbosity = conf_get_num("gssd", "rpc-verbosity", rpc_verbosity); + +- while ((opt = getopt(argc, argv, "DfvrlmnMp:k:d:t:T:R:")) != -1) { ++ while ((opt = getopt(argc, argv, "HDfvrlmnMp:k:d:t:T:R:")) != -1) { + switch (opt) { + case 'f': + fg = 1; +@@ -994,6 +997,9 @@ main(int argc, char *argv[]) + case 'D': + avoid_dns = false; + break; ++ case 'H': ++ set_home = false; ++ break; + default: + usage(argv[0]); + break; +@@ -1003,13 +1009,19 @@ main(int argc, char *argv[]) + /* + * Some krb5 routines try to scrape info out of files in the user's + * home directory. This can easily deadlock when that homedir is on a +- * kerberized NFS mount. By setting $HOME unconditionally to "/", we +- * prevent this behavior in routines that use $HOME in preference to +- * the results of getpw*. ++ * kerberized NFS mount. By setting $HOME to "/" by default, we prevent ++ * this behavior in routines that use $HOME in preference to the results ++ * of getpw*. ++ * ++ * Some users do not use Kerberized home dirs and need $HOME to remain ++ * unchanged. Those users can leave $HOME unchanged by setting set_home ++ * to false. + */ +- if (setenv("HOME", "/", 1)) { +- printerr(0, "gssd: Unable to set $HOME: %s\n", strerror(errno)); +- exit(1); ++ if (set_home) { ++ if (setenv("HOME", "/", 1)) { ++ printerr(0, "gssd: Unable to set $HOME: %s\n", strerror(errno)); ++ exit(1); ++ } + } + + if (use_gssproxy) { +diff -up nfs-utils-2.3.3/utils/gssd/gssd.man.orig nfs-utils-2.3.3/utils/gssd/gssd.man +--- nfs-utils-2.3.3/utils/gssd/gssd.man.orig 2021-04-17 10:49:23.650184264 -0400 ++++ nfs-utils-2.3.3/utils/gssd/gssd.man 2021-04-17 11:14:41.484108615 -0400 +@@ -8,7 +8,7 @@ + rpc.gssd \- RPCSEC_GSS daemon + .SH SYNOPSIS + .B rpc.gssd +-.RB [ \-DfMnlvr ] ++.RB [ \-DfMnlvrH ] + .RB [ \-k + .IR keytab ] + .RB [ \-p +@@ -297,6 +297,16 @@ The default timeout is set to 5 seconds. + If you get messages like "WARNING: can't create tcp rpc_clnt to server + %servername% for user with uid %uid%: RPC: Remote system error - + Connection timed out", you should consider an increase of this timeout. ++.TP ++.B -H ++Avoids setting $HOME to "/". This allows rpc.gssd to read per user k5identity ++files versus trying to read /.k5identity for each user. ++ ++If ++.B \-H ++is not set, rpc.gssd will use the first match found in ++/var/kerberos/krb5/user/$EUID/client.keytab and will not use a principal based on ++host and/or service parameters listed in $HOME/.k5identity. + .SH CONFIGURATION FILE + Many of the options that can be set on the command line can also be + controlled through values set in the +@@ -354,6 +364,13 @@ Equivalent to + .B preferred-realm + Equivalent to + .BR -R . ++.TP ++.B set-home ++Setting to ++.B false ++is equivalent to providing the ++.B -H ++flag. + .P + In addtion, the following value is recognized from the + .B [general] diff --git a/SOURCES/nfs-utils-2.3.3-gssd-man-tflag.patch b/SOURCES/nfs-utils-2.3.3-gssd-man-tflag.patch new file mode 100644 index 0000000..d710faa --- /dev/null +++ b/SOURCES/nfs-utils-2.3.3-gssd-man-tflag.patch @@ -0,0 +1,17 @@ +diff -up nfs-utils-2.3.3/utils/gssd/gssd.man.orig nfs-utils-2.3.3/utils/gssd/gssd.man +--- nfs-utils-2.3.3/utils/gssd/gssd.man.orig 2021-04-17 11:21:18.326543446 -0400 ++++ nfs-utils-2.3.3/utils/gssd/gssd.man 2021-04-17 12:35:59.867574517 -0400 +@@ -347,11 +347,11 @@ Equivalent to + .TP + .B context-timeout + Equivalent to +-.BR -T . ++.BR -t . + .TP + .B rpc-timeout + Equivalent to +-.BR -t . ++.BR -T . + .TP + .B keytab-file + Equivalent to diff --git a/SPECS/nfs-utils.spec b/SPECS/nfs-utils.spec index 2d9af3b..8648b80 100644 --- a/SPECS/nfs-utils.spec +++ b/SPECS/nfs-utils.spec @@ -2,7 +2,7 @@ Summary: NFS utilities and supporting clients and daemons for the kernel NFS ser Name: nfs-utils URL: http://linux-nfs.org/ Version: 2.3.3 -Release: 41%{?dist} +Release: 42%{?dist} Epoch: 1 # group all 32bit related archs @@ -73,6 +73,14 @@ Patch035: nfs-utils-2.3.3-exports-manpage-outdated.patch Patch036: nfs-utils-2.3.3-gssd-multithread-updates.patch Patch037: nfs-utils-2.3.3-mountd-pseudofs.patch +# +# RHEL 8.5 +# +Patch038: nfs-utils-2.3.3-gssd-k5identity.patch +Patch039: nfs-utils-2.3.3-gssd-man-tflag.patch +Patch040: nfs-utils-2.3.3-exportfs-root.patch + + Patch100: nfs-utils-1.2.1-statdpath-man.patch Patch101: nfs-utils-1.2.1-exp-subtree-warn-off.patch Patch102: nfs-utils-2.3.3-idmap-errmsg.patch @@ -355,6 +363,11 @@ fi %{_libdir}/libnfsidmap.so %changelog +* Mon May 10 2021 Steve Dickson 2.3.3-42 +- gssd: Add options to allow for the use of ~/.k5identity file (bz 1868087) +- man: Correct gssd(8) description of rpc-timeout and context-timeout (bz 1908232) +- exportfs: fix unexporting of '/' (bz 1944119) + * Wed Jan 20 2021 Steve Dickson 2.3.3-41 - mountd: never root squash on the pseudofs (bz 1804912)