From 12ee0ff1120a6e42b67cc90ad7d5006555e866c3 Mon Sep 17 00:00:00 2001 From: NeilBrown Date: Tue, 23 Jun 2020 09:22:22 +0000 Subject: [PATCH] statd: take user-id from /var/lib/nfs/sm Having /var/lib/nfs writeable by statd is not ideal as there are files in there that statd doesn't need to access. After dropping privs, statd and sm-notify only need to access files in the directories sm and sm.bak. So take the uid for these deamons from 'sm'. Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e] CVE: CVE-2019-3689 Signed-off-by: NeilBrown Signed-off-by: Steve Dickson Signed-off-by: Wenlin Kang --- support/nsm/file.c | 16 +++++----------- utils/statd/sm-notify.man | 10 +++++++++- utils/statd/statd.man | 10 +++++++++- 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/support/nsm/file.c b/support/nsm/file.c index 0b66f12..f5b4480 100644 --- a/support/nsm/file.c +++ b/support/nsm/file.c @@ -388,23 +388,17 @@ nsm_drop_privileges(const int pidfd) (void)umask(S_IRWXO); - /* - * XXX: If we can't stat dirname, or if dirname is owned by - * root, we should use "statduser" instead, which is set up - * by configure.ac. Nothing in nfs-utils seems to use - * "statduser," though. - */ - if (lstat(nsm_base_dirname, &st) == -1) { - xlog(L_ERROR, "Failed to stat %s: %m", nsm_base_dirname); - return false; - } - if (chdir(nsm_base_dirname) == -1) { xlog(L_ERROR, "Failed to change working directory to %s: %m", nsm_base_dirname); return false; } + if (lstat(NSM_MONITOR_DIR, &st) == -1) { + xlog(L_ERROR, "Failed to stat %s/%s: %m", nsm_base_dirname, NSM_MONITOR_DIR); + return false; + } + if (!prune_bounding_set()) return false; diff --git a/utils/statd/sm-notify.man b/utils/statd/sm-notify.man index cfe1e4b..addf5d3 100644 --- a/utils/statd/sm-notify.man +++ b/utils/statd/sm-notify.man @@ -190,7 +190,15 @@ by default. After starting, .B sm-notify attempts to set its effective UID and GID to the owner -and group of this directory. +and group of the subdirectory +.B sm +of this directory. After changing the effective ids, +.B sm-notify +only needs to access files in +.B sm +and +.B sm.bak +within the state-directory-path. .TP .BI -v " ipaddr " | " hostname Specifies the network address from which to send reboot notifications, diff --git a/utils/statd/statd.man b/utils/statd/statd.man index 71d5846..6222701 100644 --- a/utils/statd/statd.man +++ b/utils/statd/statd.man @@ -259,7 +259,15 @@ by default. After starting, .B rpc.statd attempts to set its effective UID and GID to the owner -and group of this directory. +and group of the subdirectory +.B sm +of this directory. After changing the effective ids, +.B rpc.statd +only needs to access files in +.B sm +and +.B sm.bak +within the state-directory-path. .TP .BR -v ", " -V ", " --version Causes -- 2.23.0