diff options
author | Chen Qi <Qi.Chen@windriver.com> | 2018-09-13 18:15:36 +0800 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@windriver.com> | 2018-09-18 03:07:53 -0400 |
commit | bf98d2e27d31804f559bfc9f7cb0582f3c258ac6 (patch) | |
tree | a09b237b22160c3cf18c40713e8cb9e40f693cbb | |
parent | 69882568e8ac28e0dd53c63d571ca282c18df2d8 (diff) | |
download | meta-cloud-services-bf98d2e27d31804f559bfc9f7cb0582f3c258ac6.tar.gz |
glusterfs: fix CVE-2018-1088
Backport patches to fix the following CVE.
CVE: CVE-2018-1088
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
3 files changed, 352 insertions, 0 deletions
diff --git a/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch new file mode 100644 index 0000000..0e24c56 --- /dev/null +++ b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From d1936056d77abcfda14386235a88ed553341a429 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mohammed Rafi KC <rkavunga@redhat.com> | ||
3 | Date: Mon, 26 Mar 2018 20:27:34 +0530 | ||
4 | Subject: [PATCH 1/3] shared storage: Prevent mounting shared storage from | ||
5 | non-trusted client | ||
6 | |||
7 | gluster shared storage is a volume used for internal storage for | ||
8 | various features including ganesha, geo-rep, snapshot. | ||
9 | |||
10 | So this volume should not be exposed to the client, as it is | ||
11 | a special volume for internal use. | ||
12 | |||
13 | This fix wont't generate non trusted volfile for shared storage volume. | ||
14 | |||
15 | Change-Id: I8ffe30ae99ec05196d75466210b84db311611a4c | ||
16 | fixes: bz#1568844 | ||
17 | BUG: 1568844 | ||
18 | Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com> | ||
19 | |||
20 | Upstream-Status: Backport | ||
21 | Fix CVE-2018-1088 | ||
22 | |||
23 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
24 | |||
25 | --- | ||
26 | xlators/mgmt/glusterd/src/glusterd-volgen.c | 21 +++++++++++++++++++++ | ||
27 | 1 file changed, 21 insertions(+) | ||
28 | |||
29 | diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c | ||
30 | index 0a0668e..308c41f 100644 | ||
31 | --- a/xlators/mgmt/glusterd/src/glusterd-volgen.c | ||
32 | +++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c | ||
33 | @@ -5721,6 +5721,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo, | ||
34 | int i = 0; | ||
35 | int ret = -1; | ||
36 | char filepath[PATH_MAX] = {0,}; | ||
37 | + char *volname = NULL; | ||
38 | char *types[] = {NULL, NULL, NULL}; | ||
39 | dict_t *dict = NULL; | ||
40 | xlator_t *this = NULL; | ||
41 | @@ -5728,6 +5729,26 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo, | ||
42 | |||
43 | this = THIS; | ||
44 | |||
45 | + volname = volinfo->is_snap_volume ? | ||
46 | + volinfo->parent_volname : volinfo->volname; | ||
47 | + | ||
48 | + | ||
49 | + if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) && | ||
50 | + client_type != GF_CLIENT_TRUSTED) { | ||
51 | + /* | ||
52 | + * shared storage volume cannot be mounted from non trusted | ||
53 | + * nodes. So we are not creating volfiles for non-trusted | ||
54 | + * clients for shared volumes as well as snapshot of shared | ||
55 | + * volumes. | ||
56 | + */ | ||
57 | + | ||
58 | + ret = 0; | ||
59 | + gf_msg_debug ("glusterd", 0, "Skipping the non-trusted volfile" | ||
60 | + "creation for shared storage volume. Volume %s", | ||
61 | + volname); | ||
62 | + goto out; | ||
63 | + } | ||
64 | + | ||
65 | enumerate_transport_reqs (volinfo->transport_type, types); | ||
66 | dict = dict_new (); | ||
67 | if (!dict) | ||
68 | -- | ||
69 | 2.7.4 | ||
70 | |||
diff --git a/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch new file mode 100644 index 0000000..8947f27 --- /dev/null +++ b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch | |||
@@ -0,0 +1,280 @@ | |||
1 | From a74ab3ab169add1e86aae0a99855211b948be021 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mohammed Rafi KC <rkavunga@redhat.com> | ||
3 | Date: Mon, 2 Apr 2018 12:20:47 +0530 | ||
4 | Subject: [PATCH 2/3] server/auth: add option for strict authentication | ||
5 | |||
6 | When this option is enabled, we will check for a matching | ||
7 | username and password, if not found then the connection will | ||
8 | be rejected. This also does a checksum validation of volfile | ||
9 | |||
10 | The option is invalid when SSL/TLS is in use, at which point | ||
11 | the SSL/TLS certificate user name is used to validate and | ||
12 | hence authorize the right user. This expects TLS allow rules | ||
13 | to be setup correctly rather than the default *. | ||
14 | |||
15 | This option is not settable, as a result this cannot be enabled | ||
16 | for volumes using the CLI. This is used with the shared storage | ||
17 | volume, to restrict access to the same in non-SSL/TLS environments | ||
18 | to the gluster peers only. | ||
19 | |||
20 | Tested: | ||
21 | ./tests/bugs/protocol/bug-1321578.t | ||
22 | ./tests/features/ssl-authz.t | ||
23 | - Ran tests on volumes with and without strict auth | ||
24 | checking (as brick vol file needed to be edited to test, | ||
25 | or rather to enable the option) | ||
26 | - Ran tests on volumes to ensure existing mounts are | ||
27 | disconnected when we enable strict checking | ||
28 | |||
29 | Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59 | ||
30 | fixes: bz#1568844 | ||
31 | Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com> | ||
32 | Signed-off-by: ShyamsundarR <srangana@redhat.com> | ||
33 | |||
34 | Upstream-Status: Backport | ||
35 | Fix CVE-2018-1088 | ||
36 | |||
37 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
38 | |||
39 | --- | ||
40 | xlators/mgmt/glusterd/src/glusterd-volgen.c | 16 +++++++- | ||
41 | xlators/protocol/auth/login/src/login.c | 51 ++++++++++++++++++++++---- | ||
42 | xlators/protocol/server/src/authenticate.h | 4 +- | ||
43 | xlators/protocol/server/src/server-handshake.c | 2 +- | ||
44 | xlators/protocol/server/src/server.c | 18 +++++++++ | ||
45 | xlators/protocol/server/src/server.h | 2 + | ||
46 | 6 files changed, 81 insertions(+), 12 deletions(-) | ||
47 | |||
48 | diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c | ||
49 | index 308c41f..8dd4907 100644 | ||
50 | --- a/xlators/mgmt/glusterd/src/glusterd-volgen.c | ||
51 | +++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c | ||
52 | @@ -2250,6 +2250,7 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, | ||
53 | char *password = NULL; | ||
54 | char key[1024] = {0}; | ||
55 | char *ssl_user = NULL; | ||
56 | + char *volname = NULL; | ||
57 | char *address_family_data = NULL; | ||
58 | |||
59 | if (!graph || !volinfo || !set_dict || !brickinfo) | ||
60 | @@ -2325,6 +2326,19 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, | ||
61 | if (ret) | ||
62 | return -1; | ||
63 | |||
64 | + volname = volinfo->is_snap_volume ? | ||
65 | + volinfo->parent_volname : volinfo->volname; | ||
66 | + | ||
67 | + | ||
68 | + if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) { | ||
69 | + memset (key, 0, sizeof (key)); | ||
70 | + snprintf (key, sizeof (key), "strict-auth-accept"); | ||
71 | + | ||
72 | + ret = xlator_set_option (xl, key, "true"); | ||
73 | + if (ret) | ||
74 | + return -1; | ||
75 | + } | ||
76 | + | ||
77 | if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) { | ||
78 | memset (key, 0, sizeof (key)); | ||
79 | snprintf (key, sizeof (key), "auth.login.%s.ssl-allow", | ||
80 | @@ -5734,7 +5748,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo, | ||
81 | |||
82 | |||
83 | if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) && | ||
84 | - client_type != GF_CLIENT_TRUSTED) { | ||
85 | + client_type != GF_CLIENT_TRUSTED) { | ||
86 | /* | ||
87 | * shared storage volume cannot be mounted from non trusted | ||
88 | * nodes. So we are not creating volfiles for non-trusted | ||
89 | diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c | ||
90 | index e799dd2..da10d0b 100644 | ||
91 | --- a/xlators/protocol/auth/login/src/login.c | ||
92 | +++ b/xlators/protocol/auth/login/src/login.c | ||
93 | @@ -11,6 +11,16 @@ | ||
94 | #include <fnmatch.h> | ||
95 | #include "authenticate.h" | ||
96 | |||
97 | +/* Note on strict_auth | ||
98 | + * - Strict auth kicks in when authentication is using the username, password | ||
99 | + * in the volfile to login | ||
100 | + * - If enabled, auth is rejected if the username and password is not matched | ||
101 | + * or is not present | ||
102 | + * - When using SSL names, this is automatically strict, and allows only those | ||
103 | + * names that are present in the allow list, IOW strict auth checking has no | ||
104 | + * implication when using SSL names | ||
105 | +*/ | ||
106 | + | ||
107 | auth_result_t gf_auth (dict_t *input_params, dict_t *config_params) | ||
108 | { | ||
109 | auth_result_t result = AUTH_DONT_CARE; | ||
110 | @@ -27,6 +37,7 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params) | ||
111 | char *tmp = NULL; | ||
112 | char *username_cpy = NULL; | ||
113 | gf_boolean_t using_ssl = _gf_false; | ||
114 | + gf_boolean_t strict_auth = _gf_false; | ||
115 | |||
116 | username_data = dict_get (input_params, "ssl-name"); | ||
117 | if (username_data) { | ||
118 | @@ -35,16 +46,39 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params) | ||
119 | using_ssl = _gf_true; | ||
120 | } | ||
121 | else { | ||
122 | + ret = dict_get_str_boolean (config_params, "strict-auth-accept", | ||
123 | + _gf_false); | ||
124 | + if (ret == -1) | ||
125 | + strict_auth = _gf_false; | ||
126 | + else | ||
127 | + strict_auth = ret; | ||
128 | + | ||
129 | username_data = dict_get (input_params, "username"); | ||
130 | if (!username_data) { | ||
131 | - gf_log ("auth/login", GF_LOG_DEBUG, | ||
132 | - "username not found, returning DONT-CARE"); | ||
133 | + if (strict_auth) { | ||
134 | + gf_log ("auth/login", GF_LOG_DEBUG, | ||
135 | + "username not found, strict auth" | ||
136 | + " configured returning REJECT"); | ||
137 | + result = AUTH_REJECT; | ||
138 | + } else { | ||
139 | + gf_log ("auth/login", GF_LOG_DEBUG, | ||
140 | + "username not found, returning" | ||
141 | + " DONT-CARE"); | ||
142 | + } | ||
143 | goto out; | ||
144 | } | ||
145 | password_data = dict_get (input_params, "password"); | ||
146 | if (!password_data) { | ||
147 | - gf_log ("auth/login", GF_LOG_WARNING, | ||
148 | - "password not found, returning DONT-CARE"); | ||
149 | + if (strict_auth) { | ||
150 | + gf_log ("auth/login", GF_LOG_DEBUG, | ||
151 | + "password not found, strict auth" | ||
152 | + " configured returning REJECT"); | ||
153 | + result = AUTH_REJECT; | ||
154 | + } else { | ||
155 | + gf_log ("auth/login", GF_LOG_WARNING, | ||
156 | + "password not found, returning" | ||
157 | + " DONT-CARE"); | ||
158 | + } | ||
159 | goto out; | ||
160 | } | ||
161 | password = data_to_str (password_data); | ||
162 | @@ -62,9 +96,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params) | ||
163 | ret = gf_asprintf (&searchstr, "auth.login.%s.%s", brick_name, | ||
164 | using_ssl ? "ssl-allow" : "allow"); | ||
165 | if (-1 == ret) { | ||
166 | - gf_log ("auth/login", GF_LOG_WARNING, | ||
167 | + gf_log ("auth/login", GF_LOG_ERROR, | ||
168 | "asprintf failed while setting search string, " | ||
169 | - "returning DONT-CARE"); | ||
170 | + "returning REJECT"); | ||
171 | + result = AUTH_REJECT; | ||
172 | goto out; | ||
173 | } | ||
174 | |||
175 | @@ -92,8 +127,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params) | ||
176 | * ssl-allow=* case as well) authorization is effectively | ||
177 | * disabled, though authentication and encryption are still | ||
178 | * active. | ||
179 | + * | ||
180 | + * Read NOTE on strict_auth above. | ||
181 | */ | ||
182 | - if (using_ssl) { | ||
183 | + if (using_ssl || strict_auth) { | ||
184 | result = AUTH_REJECT; | ||
185 | } | ||
186 | username_cpy = gf_strdup (allow_user->data); | ||
187 | diff --git a/xlators/protocol/server/src/authenticate.h b/xlators/protocol/server/src/authenticate.h | ||
188 | index 3f80231..5f92183 100644 | ||
189 | --- a/xlators/protocol/server/src/authenticate.h | ||
190 | +++ b/xlators/protocol/server/src/authenticate.h | ||
191 | @@ -37,10 +37,8 @@ typedef struct { | ||
192 | volume_opt_list_t *vol_opt; | ||
193 | } auth_handle_t; | ||
194 | |||
195 | -auth_result_t gf_authenticate (dict_t *input_params, | ||
196 | - dict_t *config_params, | ||
197 | - dict_t *auth_modules); | ||
198 | int32_t gf_auth_init (xlator_t *xl, dict_t *auth_modules); | ||
199 | void gf_auth_fini (dict_t *auth_modules); | ||
200 | +auth_result_t gf_authenticate (dict_t *, dict_t *, dict_t *); | ||
201 | |||
202 | #endif /* _AUTHENTICATE_H */ | ||
203 | diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c | ||
204 | index f00804a..392a101 100644 | ||
205 | --- a/xlators/protocol/server/src/server-handshake.c | ||
206 | +++ b/xlators/protocol/server/src/server-handshake.c | ||
207 | @@ -631,7 +631,7 @@ server_setvolume (rpcsvc_request_t *req) | ||
208 | ret = dict_get_str (params, "volfile-key", | ||
209 | &volfile_key); | ||
210 | if (ret) | ||
211 | - gf_msg_debug (this->name, 0, "failed to set " | ||
212 | + gf_msg_debug (this->name, 0, "failed to get " | ||
213 | "'volfile-key'"); | ||
214 | |||
215 | ret = _validate_volfile_checksum (this, volfile_key, | ||
216 | diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c | ||
217 | index 202fe71..61c6194 100644 | ||
218 | --- a/xlators/protocol/server/src/server.c | ||
219 | +++ b/xlators/protocol/server/src/server.c | ||
220 | @@ -883,6 +883,10 @@ do_rpc: | ||
221 | goto out; | ||
222 | } | ||
223 | |||
224 | + GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled, | ||
225 | + options, bool, out); | ||
226 | + | ||
227 | + | ||
228 | GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options, | ||
229 | bool, out); | ||
230 | |||
231 | @@ -1113,6 +1117,14 @@ init (xlator_t *this) | ||
232 | "Failed to initialize group cache."); | ||
233 | goto out; | ||
234 | } | ||
235 | + | ||
236 | + ret = dict_get_str_boolean (this->options, "strict-auth-accept", | ||
237 | + _gf_false); | ||
238 | + if (ret == -1) | ||
239 | + conf->strict_auth_enabled = _gf_false; | ||
240 | + else | ||
241 | + conf->strict_auth_enabled = ret; | ||
242 | + | ||
243 | ret = dict_get_str_boolean (this->options, "dynamic-auth", | ||
244 | _gf_true); | ||
245 | if (ret == -1) | ||
246 | @@ -1667,5 +1679,11 @@ struct volume_options options[] = { | ||
247 | "transport connection immediately in response to " | ||
248 | "*.allow | *.reject volume set options." | ||
249 | }, | ||
250 | + { .key = {"strict-auth-accept"}, | ||
251 | + .type = GF_OPTION_TYPE_BOOL, | ||
252 | + .default_value = "off", | ||
253 | + .description = "strict-auth-accept reject connection with out" | ||
254 | + "a valid username and password." | ||
255 | + }, | ||
256 | { .key = {NULL} }, | ||
257 | }; | ||
258 | diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h | ||
259 | index 0b37eb1..7eea291 100644 | ||
260 | --- a/xlators/protocol/server/src/server.h | ||
261 | +++ b/xlators/protocol/server/src/server.h | ||
262 | @@ -24,6 +24,7 @@ | ||
263 | #include "client_t.h" | ||
264 | #include "gidcache.h" | ||
265 | #include "defaults.h" | ||
266 | +#include "authenticate.h" | ||
267 | |||
268 | #define DEFAULT_BLOCK_SIZE 4194304 /* 4MB */ | ||
269 | #define DEFAULT_VOLUME_FILE_PATH CONFDIR "/glusterfs.vol" | ||
270 | @@ -105,6 +106,7 @@ struct server_conf { | ||
271 | * false, when child is down */ | ||
272 | |||
273 | gf_lock_t itable_lock; | ||
274 | + gf_boolean_t strict_auth_enabled; | ||
275 | }; | ||
276 | typedef struct server_conf server_conf_t; | ||
277 | |||
278 | -- | ||
279 | 2.7.4 | ||
280 | |||
diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc index 02c8a6a..8bf5653 100644 --- a/recipes-extended/glusterfs/glusterfs.inc +++ b/recipes-extended/glusterfs/glusterfs.inc | |||
@@ -20,6 +20,8 @@ SRC_URI += "file://glusterd.init \ | |||
20 | file://libglusterfs-Don-t-link-against-libfl.patch \ | 20 | file://libglusterfs-Don-t-link-against-libfl.patch \ |
21 | file://glusterd-change-port-range.patch \ | 21 | file://glusterd-change-port-range.patch \ |
22 | file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \ | 22 | file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \ |
23 | file://0001-shared-storage-Prevent-mounting-shared-storage-from-.patch \ | ||
24 | file://0002-server-auth-add-option-for-strict-authentication.patch \ | ||
23 | " | 25 | " |
24 | 26 | ||
25 | LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0" | 27 | LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0" |