2281ec5d7e
Signed-off-by: Steve Dickson <steved@redhat.com>
217 lines
7.9 KiB
Diff
217 lines
7.9 KiB
Diff
diff -up nfs-utils-1.2.4/aclocal/rpcsec_vers.m4.orig nfs-utils-1.2.4/aclocal/rpcsec_vers.m4
|
|
--- nfs-utils-1.2.4/aclocal/rpcsec_vers.m4.orig 2011-06-30 09:00:42.000000000 -0400
|
|
+++ nfs-utils-1.2.4/aclocal/rpcsec_vers.m4 2011-07-21 14:30:55.574408000 -0400
|
|
@@ -1,7 +1,7 @@
|
|
dnl Checks librpcsec version
|
|
AC_DEFUN([AC_RPCSEC_VERSION], [
|
|
|
|
- PKG_CHECK_MODULES([GSSGLUE], [libgssglue >= 0.1])
|
|
+ PKG_CHECK_MODULES([GSSGLUE], [libgssglue >= 0.3])
|
|
|
|
dnl TI-RPC replaces librpcsecgss
|
|
if test "$enable_tirpc" = no; then
|
|
diff -up nfs-utils-1.2.4/configure.ac.orig nfs-utils-1.2.4/configure.ac
|
|
--- nfs-utils-1.2.4/configure.ac.orig 2011-07-21 14:30:42.702030000 -0400
|
|
+++ nfs-utils-1.2.4/configure.ac 2011-07-21 14:30:55.581408000 -0400
|
|
@@ -264,9 +264,6 @@ if test "$enable_nfsv4" = yes; then
|
|
dnl check for nfsidmap libraries and headers
|
|
AC_LIBNFSIDMAP
|
|
|
|
- dnl enable nfsidmap when its support by libnfsidmap
|
|
- AM_CONDITIONAL(CONFIG_NFSIDMAP, [test "$enable_nfsidmap" = "yes"])
|
|
-
|
|
dnl check for the keyutils libraries and headers
|
|
AC_KEYUTILS
|
|
|
|
@@ -276,6 +273,9 @@ if test "$enable_nfsv4" = yes; then
|
|
AC_RPCSEC_VERSION
|
|
fi
|
|
fi
|
|
+dnl enable nfsidmap when its support by libnfsidmap
|
|
+AM_CONDITIONAL(CONFIG_NFSIDMAP, [test "$enable_nfsidmap" = "yes"])
|
|
+
|
|
|
|
if test "$knfsd_cv_glibc2" = no; then
|
|
AC_CHECK_LIB(bsd, daemon, [LIBBSD="-lbsd"])
|
|
diff -up nfs-utils-1.2.4/support/nfs/exports.c.orig nfs-utils-1.2.4/support/nfs/exports.c
|
|
--- nfs-utils-1.2.4/support/nfs/exports.c.orig 2011-07-21 14:30:42.731028000 -0400
|
|
+++ nfs-utils-1.2.4/support/nfs/exports.c 2011-07-21 14:30:55.588408000 -0400
|
|
@@ -784,8 +784,9 @@ struct export_features *get_export_featu
|
|
fd = open(path, O_RDONLY);
|
|
if (fd == -1)
|
|
goto good;
|
|
- fd = read(fd, buf, 50);
|
|
- if (fd == -1)
|
|
+ c = read(fd, buf, 50);
|
|
+ close(fd);
|
|
+ if (c == -1)
|
|
goto err;
|
|
c = sscanf(buf, "%x %x", &ef.flags, &ef.secinfo_flags);
|
|
if (c != 2)
|
|
diff -up nfs-utils-1.2.4/support/nsm/file.c.orig nfs-utils-1.2.4/support/nsm/file.c
|
|
--- nfs-utils-1.2.4/support/nsm/file.c.orig 2011-07-21 14:30:42.722027000 -0400
|
|
+++ nfs-utils-1.2.4/support/nsm/file.c 2011-07-21 14:30:55.596409000 -0400
|
|
@@ -396,18 +396,18 @@ nsm_drop_privileges(const int pidfd)
|
|
return false;
|
|
}
|
|
|
|
- if (st.st_uid == 0) {
|
|
- xlog_warn("Running as root. "
|
|
- "chown %s to choose different user", nsm_base_dirname);
|
|
- return true;
|
|
- }
|
|
-
|
|
if (chdir(nsm_base_dirname) == -1) {
|
|
xlog(L_ERROR, "Failed to change working directory to %s: %m",
|
|
nsm_base_dirname);
|
|
return false;
|
|
}
|
|
|
|
+ if (st.st_uid == 0) {
|
|
+ xlog_warn("Running as root. "
|
|
+ "chown %s to choose different user", nsm_base_dirname);
|
|
+ return true;
|
|
+ }
|
|
+
|
|
/*
|
|
* If the pidfile happens to reside on NFS, dropping privileges
|
|
* will probably cause us to lose access, even though we are
|
|
diff -up nfs-utils-1.2.4/utils/gssd/context_lucid.c.orig nfs-utils-1.2.4/utils/gssd/context_lucid.c
|
|
--- nfs-utils-1.2.4/utils/gssd/context_lucid.c.orig 2011-06-30 09:00:42.000000000 -0400
|
|
+++ nfs-utils-1.2.4/utils/gssd/context_lucid.c 2011-07-21 14:30:55.602409000 -0400
|
|
@@ -305,7 +305,7 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
|
|
|
|
maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
|
|
if (maj_stat != GSS_S_COMPLETE) {
|
|
- pgsserr("gss_export_lucid_sec_context",
|
|
+ pgsserr("gss_free_lucid_sec_context",
|
|
maj_stat, min_stat, &krb5oid);
|
|
printerr(0, "WARN: failed to free lucid sec context\n");
|
|
}
|
|
diff -up nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c.orig nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c
|
|
--- nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c.orig 2011-06-30 09:00:42.000000000 -0400
|
|
+++ nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c 2011-07-21 14:30:55.609410000 -0400
|
|
@@ -45,6 +45,7 @@
|
|
#include "gss_oids.h"
|
|
#include "err_util.h"
|
|
#include "svcgssd_krb5.h"
|
|
+#include "../mount/version.h"
|
|
|
|
#define MYBUFLEN 1024
|
|
|
|
@@ -169,22 +170,44 @@ svcgssd_limit_krb5_enctypes(void)
|
|
{
|
|
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
|
|
u_int maj_stat, min_stat;
|
|
- krb5_enctype default_enctypes[] = { ENCTYPE_DES_CBC_CRC,
|
|
- ENCTYPE_DES_CBC_MD5,
|
|
- ENCTYPE_DES_CBC_MD4 };
|
|
- int default_num_enctypes =
|
|
- sizeof(default_enctypes) / sizeof(default_enctypes[0]);
|
|
- krb5_enctype *enctypes;
|
|
- int num_enctypes;
|
|
+ krb5_enctype old_kernel_enctypes[] = {
|
|
+ ENCTYPE_DES_CBC_CRC,
|
|
+ ENCTYPE_DES_CBC_MD5,
|
|
+ ENCTYPE_DES_CBC_MD4 };
|
|
+ krb5_enctype new_kernel_enctypes[] = {
|
|
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
|
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
|
+ ENCTYPE_DES3_CBC_SHA1,
|
|
+ ENCTYPE_ARCFOUR_HMAC,
|
|
+ ENCTYPE_DES_CBC_CRC,
|
|
+ ENCTYPE_DES_CBC_MD5,
|
|
+ ENCTYPE_DES_CBC_MD4 };
|
|
+ krb5_enctype *default_enctypes, *enctypes;
|
|
+ int default_num_enctypes, num_enctypes;
|
|
+
|
|
+
|
|
+ if (linux_version_code() < MAKE_VERSION(2, 6, 35)) {
|
|
+ default_enctypes = old_kernel_enctypes;
|
|
+ default_num_enctypes =
|
|
+ sizeof(old_kernel_enctypes) / sizeof(old_kernel_enctypes[0]);
|
|
+ } else {
|
|
+ default_enctypes = new_kernel_enctypes;
|
|
+ default_num_enctypes =
|
|
+ sizeof(new_kernel_enctypes) / sizeof(new_kernel_enctypes[0]);
|
|
+ }
|
|
|
|
get_kernel_supported_enctypes();
|
|
|
|
if (parsed_enctypes != NULL) {
|
|
enctypes = parsed_enctypes;
|
|
num_enctypes = parsed_num_enctypes;
|
|
+ printerr(2, "%s: Calling gss_set_allowable_enctypes with %d "
|
|
+ "enctypes from the kernel\n", __func__, num_enctypes);
|
|
} else {
|
|
enctypes = default_enctypes;
|
|
num_enctypes = default_num_enctypes;
|
|
+ printerr(2, "%s: Calling gss_set_allowable_enctypes with %d "
|
|
+ "enctypes from defaults\n", __func__, num_enctypes);
|
|
}
|
|
|
|
maj_stat = gss_set_allowable_enctypes(&min_stat, gssd_creds,
|
|
diff -up nfs-utils-1.2.4/utils/mount/version.h.orig nfs-utils-1.2.4/utils/mount/version.h
|
|
--- nfs-utils-1.2.4/utils/mount/version.h.orig 2011-06-30 09:00:42.000000000 -0400
|
|
+++ nfs-utils-1.2.4/utils/mount/version.h 2011-07-21 14:30:55.614413000 -0400
|
|
@@ -23,8 +23,8 @@
|
|
#ifndef _NFS_UTILS_MOUNT_VERSION_H
|
|
#define _NFS_UTILS_MOUNT_VERSION_H
|
|
|
|
-#include <stdlib.h>
|
|
-#include <string.h>
|
|
+#include <stdio.h>
|
|
+#include <limits.h>
|
|
|
|
#include <sys/utsname.h>
|
|
|
|
@@ -37,14 +37,16 @@ static inline unsigned int MAKE_VERSION(
|
|
static inline unsigned int linux_version_code(void)
|
|
{
|
|
struct utsname my_utsname;
|
|
- unsigned int p, q, r;
|
|
+ unsigned int p, q = 0, r = 0;
|
|
|
|
+ /* UINT_MAX as backward compatibility code should not be run */
|
|
if (uname(&my_utsname))
|
|
- return 0;
|
|
+ return UINT_MAX;
|
|
|
|
- p = (unsigned int)atoi(strtok(my_utsname.release, "."));
|
|
- q = (unsigned int)atoi(strtok(NULL, "."));
|
|
- r = (unsigned int)atoi(strtok(NULL, "."));
|
|
+ /* UINT_MAX as future versions might not start with an integer */
|
|
+ if (sscanf(my_utsname.release, "%u.%u.%u", &p, &q, &r) < 1)
|
|
+ return UINT_MAX;
|
|
+
|
|
return MAKE_VERSION(p, q, r);
|
|
}
|
|
|
|
diff -up nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man.orig nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man
|
|
--- nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man.orig 2011-06-30 09:00:42.000000000 -0400
|
|
+++ nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man 2011-07-21 14:30:55.620410000 -0400
|
|
@@ -25,9 +25,9 @@ will need to be modified so
|
|
can properly direct the upcall. The following line should be added before a call
|
|
to keyctl negate:
|
|
.PP
|
|
-create nfs_idmap * * /usr/sbin/nfsidmap %k %d 600
|
|
+create id_resolver * * /usr/sbin/nfsidmap %k %d 600
|
|
.PP
|
|
-This will direct all nfs_idmap requests to the program
|
|
+This will direct all id_resolver requests to the program
|
|
.I /usr/sbin/nfsidmap
|
|
The last parameter, 600, defines how many seconds into the future the key will
|
|
expire. This is an optional parameter for
|
|
@@ -48,9 +48,9 @@ You can choose to handle any of these in
|
|
generic upcall program. If you would like to use your own program for a uid
|
|
lookup then you would edit your request-key.conf so it looks similar to this:
|
|
.PP
|
|
-create nfs_idmap uid:* * /some/other/program %k %d 600
|
|
+create id_resolver uid:* * /some/other/program %k %d 600
|
|
.br
|
|
-create nfs_idmap * * /usr/sbin/nfsidmap %k %d 600
|
|
+create id_resolver * * /usr/sbin/nfsidmap %k %d 600
|
|
.PP
|
|
Notice that the new line was added above the line for the generic program.
|
|
request-key will find the first matching line and run the corresponding program.
|