diff -up nfs-utils-1.2.4/aclocal/rpcsec_vers.m4.orig nfs-utils-1.2.4/aclocal/rpcsec_vers.m4 --- nfs-utils-1.2.4/aclocal/rpcsec_vers.m4.orig 2011-06-30 09:00:42.000000000 -0400 +++ nfs-utils-1.2.4/aclocal/rpcsec_vers.m4 2011-07-21 14:30:55.574408000 -0400 @@ -1,7 +1,7 @@ dnl Checks librpcsec version AC_DEFUN([AC_RPCSEC_VERSION], [ - PKG_CHECK_MODULES([GSSGLUE], [libgssglue >= 0.1]) + PKG_CHECK_MODULES([GSSGLUE], [libgssglue >= 0.3]) dnl TI-RPC replaces librpcsecgss if test "$enable_tirpc" = no; then diff -up nfs-utils-1.2.4/configure.ac.orig nfs-utils-1.2.4/configure.ac --- nfs-utils-1.2.4/configure.ac.orig 2011-07-21 14:30:42.702030000 -0400 +++ nfs-utils-1.2.4/configure.ac 2011-07-21 14:30:55.581408000 -0400 @@ -264,9 +264,6 @@ if test "$enable_nfsv4" = yes; then dnl check for nfsidmap libraries and headers AC_LIBNFSIDMAP - dnl enable nfsidmap when its support by libnfsidmap - AM_CONDITIONAL(CONFIG_NFSIDMAP, [test "$enable_nfsidmap" = "yes"]) - dnl check for the keyutils libraries and headers AC_KEYUTILS @@ -276,6 +273,9 @@ if test "$enable_nfsv4" = yes; then AC_RPCSEC_VERSION fi fi +dnl enable nfsidmap when its support by libnfsidmap +AM_CONDITIONAL(CONFIG_NFSIDMAP, [test "$enable_nfsidmap" = "yes"]) + if test "$knfsd_cv_glibc2" = no; then AC_CHECK_LIB(bsd, daemon, [LIBBSD="-lbsd"]) diff -up nfs-utils-1.2.4/support/nfs/exports.c.orig nfs-utils-1.2.4/support/nfs/exports.c --- nfs-utils-1.2.4/support/nfs/exports.c.orig 2011-07-21 14:30:42.731028000 -0400 +++ nfs-utils-1.2.4/support/nfs/exports.c 2011-07-21 14:30:55.588408000 -0400 @@ -784,8 +784,9 @@ struct export_features *get_export_featu fd = open(path, O_RDONLY); if (fd == -1) goto good; - fd = read(fd, buf, 50); - if (fd == -1) + c = read(fd, buf, 50); + close(fd); + if (c == -1) goto err; c = sscanf(buf, "%x %x", &ef.flags, &ef.secinfo_flags); if (c != 2) diff -up nfs-utils-1.2.4/support/nsm/file.c.orig nfs-utils-1.2.4/support/nsm/file.c --- nfs-utils-1.2.4/support/nsm/file.c.orig 2011-07-21 14:30:42.722027000 -0400 +++ nfs-utils-1.2.4/support/nsm/file.c 2011-07-21 14:30:55.596409000 -0400 @@ -396,18 +396,18 @@ nsm_drop_privileges(const int pidfd) return false; } - if (st.st_uid == 0) { - xlog_warn("Running as root. " - "chown %s to choose different user", nsm_base_dirname); - return true; - } - if (chdir(nsm_base_dirname) == -1) { xlog(L_ERROR, "Failed to change working directory to %s: %m", nsm_base_dirname); return false; } + if (st.st_uid == 0) { + xlog_warn("Running as root. " + "chown %s to choose different user", nsm_base_dirname); + return true; + } + /* * If the pidfile happens to reside on NFS, dropping privileges * will probably cause us to lose access, even though we are diff -up nfs-utils-1.2.4/utils/gssd/context_lucid.c.orig nfs-utils-1.2.4/utils/gssd/context_lucid.c --- nfs-utils-1.2.4/utils/gssd/context_lucid.c.orig 2011-06-30 09:00:42.000000000 -0400 +++ nfs-utils-1.2.4/utils/gssd/context_lucid.c 2011-07-21 14:30:55.602409000 -0400 @@ -305,7 +305,7 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx); if (maj_stat != GSS_S_COMPLETE) { - pgsserr("gss_export_lucid_sec_context", + pgsserr("gss_free_lucid_sec_context", maj_stat, min_stat, &krb5oid); printerr(0, "WARN: failed to free lucid sec context\n"); } diff -up nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c.orig nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c --- nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c.orig 2011-06-30 09:00:42.000000000 -0400 +++ nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c 2011-07-21 14:30:55.609410000 -0400 @@ -45,6 +45,7 @@ #include "gss_oids.h" #include "err_util.h" #include "svcgssd_krb5.h" +#include "../mount/version.h" #define MYBUFLEN 1024 @@ -169,22 +170,44 @@ svcgssd_limit_krb5_enctypes(void) { #ifdef HAVE_SET_ALLOWABLE_ENCTYPES u_int maj_stat, min_stat; - krb5_enctype default_enctypes[] = { ENCTYPE_DES_CBC_CRC, - ENCTYPE_DES_CBC_MD5, - ENCTYPE_DES_CBC_MD4 }; - int default_num_enctypes = - sizeof(default_enctypes) / sizeof(default_enctypes[0]); - krb5_enctype *enctypes; - int num_enctypes; + krb5_enctype old_kernel_enctypes[] = { + ENCTYPE_DES_CBC_CRC, + ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES_CBC_MD4 }; + krb5_enctype new_kernel_enctypes[] = { + ENCTYPE_AES256_CTS_HMAC_SHA1_96, + ENCTYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_DES3_CBC_SHA1, + ENCTYPE_ARCFOUR_HMAC, + ENCTYPE_DES_CBC_CRC, + ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES_CBC_MD4 }; + krb5_enctype *default_enctypes, *enctypes; + int default_num_enctypes, num_enctypes; + + + if (linux_version_code() < MAKE_VERSION(2, 6, 35)) { + default_enctypes = old_kernel_enctypes; + default_num_enctypes = + sizeof(old_kernel_enctypes) / sizeof(old_kernel_enctypes[0]); + } else { + default_enctypes = new_kernel_enctypes; + default_num_enctypes = + sizeof(new_kernel_enctypes) / sizeof(new_kernel_enctypes[0]); + } get_kernel_supported_enctypes(); if (parsed_enctypes != NULL) { enctypes = parsed_enctypes; num_enctypes = parsed_num_enctypes; + printerr(2, "%s: Calling gss_set_allowable_enctypes with %d " + "enctypes from the kernel\n", __func__, num_enctypes); } else { enctypes = default_enctypes; num_enctypes = default_num_enctypes; + printerr(2, "%s: Calling gss_set_allowable_enctypes with %d " + "enctypes from defaults\n", __func__, num_enctypes); } maj_stat = gss_set_allowable_enctypes(&min_stat, gssd_creds, diff -up nfs-utils-1.2.4/utils/mount/version.h.orig nfs-utils-1.2.4/utils/mount/version.h --- nfs-utils-1.2.4/utils/mount/version.h.orig 2011-06-30 09:00:42.000000000 -0400 +++ nfs-utils-1.2.4/utils/mount/version.h 2011-07-21 14:30:55.614413000 -0400 @@ -23,8 +23,8 @@ #ifndef _NFS_UTILS_MOUNT_VERSION_H #define _NFS_UTILS_MOUNT_VERSION_H -#include -#include +#include +#include #include @@ -37,14 +37,16 @@ static inline unsigned int MAKE_VERSION( static inline unsigned int linux_version_code(void) { struct utsname my_utsname; - unsigned int p, q, r; + unsigned int p, q = 0, r = 0; + /* UINT_MAX as backward compatibility code should not be run */ if (uname(&my_utsname)) - return 0; + return UINT_MAX; - p = (unsigned int)atoi(strtok(my_utsname.release, ".")); - q = (unsigned int)atoi(strtok(NULL, ".")); - r = (unsigned int)atoi(strtok(NULL, ".")); + /* UINT_MAX as future versions might not start with an integer */ + if (sscanf(my_utsname.release, "%u.%u.%u", &p, &q, &r) < 1) + return UINT_MAX; + return MAKE_VERSION(p, q, r); } diff -up nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man.orig nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man --- nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man.orig 2011-06-30 09:00:42.000000000 -0400 +++ nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man 2011-07-21 14:30:55.620410000 -0400 @@ -25,9 +25,9 @@ will need to be modified so can properly direct the upcall. The following line should be added before a call to keyctl negate: .PP -create nfs_idmap * * /usr/sbin/nfsidmap %k %d 600 +create id_resolver * * /usr/sbin/nfsidmap %k %d 600 .PP -This will direct all nfs_idmap requests to the program +This will direct all id_resolver requests to the program .I /usr/sbin/nfsidmap The last parameter, 600, defines how many seconds into the future the key will expire. This is an optional parameter for @@ -48,9 +48,9 @@ You can choose to handle any of these in generic upcall program. If you would like to use your own program for a uid lookup then you would edit your request-key.conf so it looks similar to this: .PP -create nfs_idmap uid:* * /some/other/program %k %d 600 +create id_resolver uid:* * /some/other/program %k %d 600 .br -create nfs_idmap * * /usr/sbin/nfsidmap %k %d 600 +create id_resolver * * /usr/sbin/nfsidmap %k %d 600 .PP Notice that the new line was added above the line for the generic program. request-key will find the first matching line and run the corresponding program.