ANNOUNCE: nfs-utils 1.0.4

ANNOUNCE: nfs-utils 1.0.4

[Neil F. Brown]

This release of nfs-utils contains:

 1/ Fix for a remotely exploitable buffer-overflow bug.
 2/ assorted minor bug fixes
 3/ Extensive changes to make use of new functionality in linux-2.6.0 nfsd

nfs-utils 1.0.4 can be downloaded from 
  http://sourceforge.net/project/showfiles.php?group_id=14
or
  http://www.{countrycode}.kernel.org/pub/linux/utils/nfs/

I consider this release to be a pre-release for 1.1.0 which I hope to
release before linux-2.6.0-final.  Bug reports are very welcome.


1/ A buffer-overflow bug was found by 
    Janusz Niewiadomski
    iSEC Security Research
    http://isec.pl/

  It is trivially exploitable to effect a remote denial of service.
  More subtle exploits may be possible.

  I recommend that all users of nfs-utils either:
    1/ upgrade to 1.0.4 
  or
    2/ Get an update from their vendor (most vendors should have an
       update available).

  I also recommend that all NFS services be protected from the
  internet-at-large by a firewall where that is possible.

2/ See the change log in the source for details on bug fixes.

3/ In 2.4 and earlier kernels, the nfs server needed to know about any
 client that expected to be able to access files via NFS.  This
 information would be given to the kernel by "mountd" when the client
 mounted the filesystem, or by "exportfs" at system startup.  exportfs
 would take information about active clients from /var/lib/nfs/rmtab.

 This approach is quite fragile as it depends on rmtab being correct
 which is not always easy, particularly when trying to implement
 fail-over.  Even when the system is working well, rmtab suffers from
 getting lots of old entries that never get removed.

 With 2.6 we have the option of having the kernel tell mountd when it
 gets a request from an unknown host, and mountd can give appropriate
 export information to the kernel.  This removes the dependancy on
 rmtab and means that the kernel only needs to know about currently
 active clients.

 To enable this new functionality, you need to:
   mount -t nfsd nfsd /proc/fs/nfs

 before running exportfs or mountd.  

 If you are using 2.6.0-testX and exporting files with NFS *please*
 test this out and let me know of any problems.

NeilBrown - July 2003

Re: ANNOUNCE: nfs-utils 1.0.4

[Steven Cole]

On Mon, 2003-07-14 at 11:00, Neil F. Brown wrote:
> This release of nfs-utils contains:
> 
>  1/ Fix for a remotely exploitable buffer-overflow bug.
>  2/ assorted minor bug fixes
>  3/ Extensive changes to make use of new functionality in linux-2.6.0 nfsd
> 
> nfs-utils 1.0.4 can be downloaded from 
>   http://sourceforge.net/project/showfiles.php?group_id=14
> or
>   http://www.{countrycode}.kernel.org/pub/linux/utils/nfs/
> 
> I consider this release to be a pre-release for 1.1.0 which I hope to
> release before linux-2.6.0-final.  Bug reports are very welcome.

Although it may be a month or three until 2.6.0-final, here is an update
to Documentation/Changes and scripts/ver_linux for nfs-utils.

Your information should be preserved somewhere, and
Documentation/Changes should be one of first places people look when
moving from 2.4 to 2.6.

I moved the nfs-utils table entry up a couple of rows to group it with
other network related items.

If this patch looks OK, please send it upstream.  Otherwise, please fix
and send.

Steven

diff -ur 2.5-bk-current/Documentation/Changes 2.5-linux/Documentation/Changes
--- 2.5-bk-current/Documentation/Changes	Mon Jul 14 12:48:38 2003
+++ 2.5-linux/Documentation/Changes	Mon Jul 14 13:03:05 2003
@@ -61,9 +61,9 @@
 o  quota-tools            3.09                    # quota -V
 o  PPP                    2.4.0                   # pppd --version
 o  isdn4k-utils           3.1pre1                 # isdnctrl 2>&1|grep version
+o  nfs-utils              1.0.4                   # showmount --version
 o  procps                 2.0.9                   # ps --version
 o  oprofile               0.5.3                   # oprofiled --version
-o  nfs-utils              1.0.3                   # showmount --version
 
 Kernel compilation
 ==================
@@ -280,6 +280,33 @@
 Due to changes in the length of the phone number field, isdn4k-utils
 needs to be recompiled or (preferably) upgraded.
 
+NFS-utils
+---------
+
+In 2.4 and earlier kernels, the nfs server needed to know about any
+client that expected to be able to access files via NFS.  This
+information would be given to the kernel by "mountd" when the client
+mounted the filesystem, or by "exportfs" at system startup.  exportfs
+would take information about active clients from /var/lib/nfs/rmtab.
+
+This approach is quite fragile as it depends on rmtab being correct
+which is not always easy, particularly when trying to implement
+fail-over.  Even when the system is working well, rmtab suffers from
+getting lots of old entries that never get removed.
+
+With 2.6 we have the option of having the kernel tell mountd when it
+gets a request from an unknown host, and mountd can give appropriate
+export information to the kernel.  This removes the dependency on
+rmtab and means that the kernel only needs to know about currently
+active clients.
+
+To enable this new functionality, you need to:
+
+  mount -t nfsd nfsd /proc/fs/nfs
+
+before running exportfs or mountd.  It is recommended that all NFS
+services be protected from the internet-at-large where that is possible.
+
 Getting updated software
 ========================
 
@@ -368,6 +395,10 @@
 ------------
 o  <ftp://ftp.isdn4linux.de/pub/isdn4linux/utils/isdn4k-utils.v3.1pre1.tar.gz>
 
+NFS-utils
+---------
+o  <http://sourceforge.net/project/showfiles.php?group_id=14>
+
 Netfilter
 ---------
 o  <http://netfilter.filewatcher.org/iptables-1.2.tar.bz2>
Only in 2.5-linux/Documentation: x
diff -ur 2.5-bk-current/scripts/ver_linux 2.5-linux/scripts/ver_linux
--- 2.5-bk-current/scripts/ver_linux	Mon Jul 14 12:48:09 2003
+++ 2.5-linux/scripts/ver_linux	Mon Jul 14 12:51:19 2003
@@ -54,6 +54,9 @@
 isdnctrl 2>&1 | grep version | awk \
 'NR==1{print "isdn4k-utils          ", $NF}'
 
+showmount --version 2>&1 | grep showmount | awk \
+'NR==1{print "nfs-utils             ", $NF}'
+
 ls -l `ldd /bin/sh | awk '/libc/{print $3}'` | sed \
 -e 's/\.so$//' | awk -F'[.-]'   '{print "Linux C Library        " \
 $(NF-2)"."$(NF-1)"."$NF}'

Re: ANNOUNCE: nfs-utils 1.0.4

[James Pearson]

"Neil F. Brown" wrote:
> 
> 3/ In 2.4 and earlier kernels, the nfs server needed to know about any
>  client that expected to be able to access files via NFS.  This
>  information would be given to the kernel by "mountd" when the client
>  mounted the filesystem, or by "exportfs" at system startup.  exportfs
>  would take information about active clients from /var/lib/nfs/rmtab.
> 
>  This approach is quite fragile as it depends on rmtab being correct
>  which is not always easy, particularly when trying to implement
>  fail-over.  Even when the system is working well, rmtab suffers from
>  getting lots of old entries that never get removed.
> 
>  With 2.6 we have the option of having the kernel tell mountd when it
>  gets a request from an unknown host, and mountd can give appropriate
>  export information to the kernel.  This removes the dependancy on
>  rmtab and means that the kernel only needs to know about currently
>  active clients.
> 
>  To enable this new functionality, you need to:
>    mount -t nfsd nfsd /proc/fs/nfs
> 
>  before running exportfs or mountd.
> 
>  If you are using 2.6.0-testX and exporting files with NFS *please*
>  test this out and let me know of any problems.

I've just been trying out 2.6.0-test2 with nfs-utils 1.0.5 and I've come
across a couple of problems:

When using 'mount -t nfsd nfsd /proc/fs/nfs' on the server, if I now run
'showmount -d server', nothing is returned. If I don't use the 'mount -t
nfsd ...', showmount works as expected.


When starting /etc/init.d/nfs, I get a pause between 'Starting NFS
daemon' and 'Starting NFS mountd' - this turns out to be rpcinfo timing
out i.e.

rpcinfo: RPC: Timed out
program 100003 version 3 is not available

i.e. from '/usr/sbin/rpcinfo -u localhost nfs 3'

and hence rpc.mountd starts with '--no-nfs-version 3'

Once nfsd is up and running, rpcinfo returns the expected result.

Forcing 'MOUNTD_NFS_V3=yes' works fine, and clients can mount using
NFSv3


One thing I would be interested in knowing - how does the server now
'know' about clients that have mounted file systems across server
reboots now that /var/lib/nfs/rmtab is no longer used?

James Pearson


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: ANNOUNCE: nfs-utils 1.0.4

[Neil Brown]

On Tuesday July 29, james-p@moving-picture.com wrote:
> >  If you are using 2.6.0-testX and exporting files with NFS *please*
> >  test this out and let me know of any problems.
> 
> I've just been trying out 2.6.0-test2 with nfs-utils 1.0.5 and I've come
> across a couple of problems:

Thanks for reporting them.

> 
> When using 'mount -t nfsd nfsd /proc/fs/nfs' on the server, if I now run
> 'showmount -d server', nothing is returned. If I don't use the 'mount -t
> nfsd ...', showmount works as expected.
> 

Hmm.. "showmount -d" effectively just shows the contents of rmtab.  I
thought I was still keeping rmtab mostly up-to-date, but apparently
not.  I will look into it and see if I can find a sensible way for it
to work.

> 
> When starting /etc/init.d/nfs, I get a pause between 'Starting NFS
> daemon' and 'Starting NFS mountd' - this turns out to be rpcinfo timing
> out i.e.
> 
> rpcinfo: RPC: Timed out
> program 100003 version 3 is not available
> 
> i.e. from '/usr/sbin/rpcinfo -u localhost nfs 3'
> 
> and hence rpc.mountd starts with '--no-nfs-version 3'
> 
> Once nfsd is up and running, rpcinfo returns the expected result.
> 
> Forcing 'MOUNTD_NFS_V3=yes' works fine, and clients can mount using
> NFSv3

Yep.  This requres a change to /etc/init.d/nfs which I have done for
debian but not for others.  I'll look into that.
The code in debian/nfs-kernel-server.init looks like:

		# make sure 127.0.0.1 is a valid source for requests
		ClearAddr=
		if [ -f /proc/net/rpc/auth.unix.ip/channel ] ; then
		  if   grep -s 127.0.0.1 /proc/net/rpc/auth.unix.ip/content > /dev/null ; then
		      : address already known
		  else
                      echo nfsd 127.0.0.1 2147483647 localhost > /proc/net/rpc/auth.unix.ip/channel
		      ClearAddr=yes
		  fi
		fi

		$PREFIX/bin/rpcinfo -u localhost nfs 3 >/dev/null 2>&1 ||
		    RPCMOUNTDOPTS="$RPCMOUNTDOPTS --no-nfs-version 3"

		if [ -n "$ClearAddr" ]; then
                        echo nfsd 127.0.0.1 1  > /proc/net/rpc/auth.unix.ip/channel
		fi

i.e. we enable access from 127.0.0.1 before doing the rpcinfo request.

> 
> 
> One thing I would be interested in knowing - how does the server now
> 'know' about clients that have mounted file systems across server
> reboots now that /var/lib/nfs/rmtab is no longer used?

It doesn't.  But the client does.

When the client sends the first request after a server has rebooted,
the kernel fails to find any information about the client in it's
export cache so it sends a request to mountd, via
   /proc/net/rpc/*/channel
mountd determines whether the client is allowed access and sends an
approprate answer back.

This is explained to some extent in
   man 7 nfsd

though that is really just a first draft.

NeilBrown


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: ANNOUNCE: nfs-utils 1.0.4

[James Pearson]

Neil Brown wrote:
> 
> On Tuesday July 29, james-p@moving-picture.com wrote:
> > >  If you are using 2.6.0-testX and exporting files with NFS *please*
> > >  test this out and let me know of any problems.
> >
> > I've just been trying out 2.6.0-test2 with nfs-utils 1.0.5 and I've come
> > across a couple of problems:
> 
> Thanks for reporting them.
> 
> >
> > When using 'mount -t nfsd nfsd /proc/fs/nfs' on the server, if I now run
> > 'showmount -d server', nothing is returned. If I don't use the 'mount -t
> > nfsd ...', showmount works as expected.
> >
> 
> Hmm.. "showmount -d" effectively just shows the contents of rmtab.  I
> thought I was still keeping rmtab mostly up-to-date, but apparently
> not.  I will look into it and see if I can find a sensible way for it
> to work.

What is the 'best' way to enable /proc/fs/nfs? i.e. if nfsd is a module,
then you can't mount /proc/fs/nfs until the module is loaded, which
normally doesn't happen until rpc.nfsd is started - which is after
exportfs has been run in the startup script ...

Should /proc/fs/nfs be unmounted when the /etc/init.d/nfs is stopped?

Could there be problems if nfsd uses /proc/fs/nfs, then nfsd is shutdown
and restarted without /proc/fs/nfs being mounted?

> >
> > When starting /etc/init.d/nfs, I get a pause between 'Starting NFS
> > daemon' and 'Starting NFS mountd' - this turns out to be rpcinfo timing
> > out i.e.
> >
> > rpcinfo: RPC: Timed out
> > program 100003 version 3 is not available
> >
> > i.e. from '/usr/sbin/rpcinfo -u localhost nfs 3'
> >
> > and hence rpc.mountd starts with '--no-nfs-version 3'
> >
> > Once nfsd is up and running, rpcinfo returns the expected result.
> >
> > Forcing 'MOUNTD_NFS_V3=yes' works fine, and clients can mount using
> > NFSv3
> 
> Yep.  This requres a change to /etc/init.d/nfs which I have done for
> debian but not for others.  I'll look into that.
> ...

It appears this has already been done for NFSv2 in /etc/init.d/nfs, but
not for NFSv3 - adding the similar bits for NFSv3 now works OK.

> >
> > One thing I would be interested in knowing - how does the server now
> > 'know' about clients that have mounted file systems across server
> > reboots now that /var/lib/nfs/rmtab is no longer used?
> 
> It doesn't.  But the client does.
> 
> When the client sends the first request after a server has rebooted,
> the kernel fails to find any information about the client in it's
> export cache so it sends a request to mountd, via
>    /proc/net/rpc/*/channel
> mountd determines whether the client is allowed access and sends an
> approprate answer back.
> 
> This is explained to some extent in
>    man 7 nfsd
> 
> though that is really just a first draft.


Thanks

James Pearson


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: ANNOUNCE: nfs-utils 1.0.4

[Neil Brown]

On Wednesday July 30, james-p@moving-picture.com wrote:
> 
> What is the 'best' way to enable /proc/fs/nfs? i.e. if nfsd is a module,
> then you can't mount /proc/fs/nfs until the module is loaded, which
> normally doesn't happen until rpc.nfsd is started - which is after
> exportfs has been run in the startup script ...

Well, the theory was that mounting the 'nfsd' filesystem would cause
nfsd.ko to be auto-loaded.  Unfortunately I never tested this
theory...

It almost works.  The problem is that the /proc/fs/nfs directory is
created by the nfsd module so you cannot 
   mount -t nfsd nfsd /proc/fs/nfsd
to autoload nfsd, because mount will complain that /proc/fs/nfsd
doesn't exist.

   mkdir -p /mnt/nfsd
   mount -t nfsd nfsd /mnt/nfsd
   mount --move /mnt/nfsd /proc/fs/nfs

shows that autoloading works, but obviously isn't a real solution.
I will need to get /proc/fs/nfs created permanently.  I see about
creating a patch soon.

> 
> Should /proc/fs/nfs be unmounted when the /etc/init.d/nfs is
> stopped?

It doesn't really matter.  It needs to be unmounted before you can
unload the module, but it shouldn't hurt to just leave it there.

> 
> Could there be problems if nfsd uses /proc/fs/nfs, then nfsd is shutdown
> and restarted without /proc/fs/nfs being mounted?

Not really.  The 'nfsd' filesystem is just an interface into the
kernel.  It doesn't store any real data and unmounting it doesn't
affect anything.  It just removed the interface.

NeilBrown


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs