From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by yocto-www.yoctoproject.org (Postfix, from userid 118) id 222F3E00A4F; Wed, 19 Sep 2018 00:59:44 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on yocto-www.yoctoproject.org X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-HAM-Report: * 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider * (bruce.ashfield[at]gmail.com) * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no * trust * [209.85.208.179 listed in list.dnswl.org] * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's * domain * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Received: from mail-lj1-f179.google.com (mail-lj1-f179.google.com [209.85.208.179]) by yocto-www.yoctoproject.org (Postfix) with ESMTP id 79E02E0095C for ; Wed, 19 Sep 2018 00:59:42 -0700 (PDT) Received: by mail-lj1-f179.google.com with SMTP id j19-v6so4148868ljc.7 for ; Wed, 19 Sep 2018 00:59:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MaFkLBxwCdzln4DxeVIu39XVdSxiHSgqvAK9J3sOR0M=; b=R9+DhwEUxvsQ70WO/YQ11AKqwPs640gu/LRJodWrqD6tzbbMPpo3t8raOyKef/zaAX fA9TkFluKLtBQwHgPOCYbgPDlh3Iq9A47FyAuX4j8t/xxiKpPbkk1PAE+mMGaGKz3fZI pgxdjY0t4ny/WvTTcDsUt3dkFzi9zE7i35xVo1Onodvipum3bvnJJAO+/Z07qIe9S8gp gD+FZUnIMKPrLbZ4v4Ww62leGpXxgCK2Z7RdfC7MJRF3KlWlvMvUk6UgxiqnPYmgmnLk 4dg9GLYLw1SUX5moLwPkm4m+VxCQHKbXDMBbHdoHX5yiJ3eDVw7dwHI8jh9tkRh8J8Dn yNAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MaFkLBxwCdzln4DxeVIu39XVdSxiHSgqvAK9J3sOR0M=; b=RFqMBZK/R1jJnphLjc5Bu1fdvSdSxV41/WGklBLBMkbMPsyPghBQNyNDqagyMTou87 oqYL5FIzOLg1Q/o4UVMGsGrhnx3XL6vLOiE+K6/2pKAlP5NMAU/GNLD3w07mBh3YblED gEZn7+bE62iBlo3WFrUolCVzBHNZjbGDOolv7auQI8Fq7jv/3+d2PrY15+atbDyYehCG 1if4aMNYmW7nQs/yFmbPPWHDMS15pf2WNfgMTadbxmaXXRYF3OyK12Uu2KGr+oWlXSBD DwZ11XIRkxVMZnPF4PmvA0yjb+iUQd/dEKoYLLpFv9OqG0XNV2aB+YSibJIeD7KisP9n oPnw== X-Gm-Message-State: APzg51AGfEjOkAFGFyXGnIoJuxUVQG2ha8Fu9Otd3ItccYkX2k89EjlI GtnVwVuL7QmgR/OyWFjUQBLs1X8S6jX5k3uihm6xug== X-Google-Smtp-Source: ANB0Vdboj5A4W1uj1Lvr/evWelcGHmfleoIMnkp9D7hmAuduHYhMhhp/E7XDk9AClXw9KKWXJ8xlnk4yr9iERjvR1nc= X-Received: by 2002:a2e:800e:: with SMTP id j14-v6mr553130ljg.114.1537343980954; Wed, 19 Sep 2018 00:59:40 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:86c9:0:0:0:0:0 with HTTP; Wed, 19 Sep 2018 00:59:40 -0700 (PDT) In-Reply-To: References: <1536833737-23284-1-git-send-email-Qi.Chen@windriver.com> From: Bruce Ashfield Date: Wed, 19 Sep 2018 03:59:40 -0400 Message-ID: To: ChenQi Cc: meta-virtualization@yoctoproject.org Subject: Re: [m-c-s][PATCH V2 1/2] glusterfs: fix CVE-2018-1088 X-BeenThere: meta-virtualization@yoctoproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Discussion of layer enabling hypervisor, virtualization tool stack, and cloud support" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2018 07:59:44 -0000 Content-Type: text/plain; charset="UTF-8" I had merged, but not pushed this. Sorry about that. It is now pushed. Bruce On Mon, Sep 17, 2018 at 9:34 PM, ChenQi wrote: > ping > > > On 09/13/2018 06:15 PM, Chen Qi wrote: >> >> Backport patches to fix the following CVE. >> >> CVE: CVE-2018-1088 >> >> Signed-off-by: Chen Qi >> --- >> ...age-Prevent-mounting-shared-storage-from-.patch | 70 ++++++ >> ...auth-add-option-for-strict-authentication.patch | 280 >> +++++++++++++++++++++ >> recipes-extended/glusterfs/glusterfs.inc | 2 + >> 3 files changed, 352 insertions(+) >> create mode 100644 >> recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch >> create mode 100644 >> recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch >> >> diff --git >> a/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch >> b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch >> new file mode 100644 >> index 0000000..0e24c56 >> --- /dev/null >> +++ >> b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch >> @@ -0,0 +1,70 @@ >> +From d1936056d77abcfda14386235a88ed553341a429 Mon Sep 17 00:00:00 2001 >> +From: Mohammed Rafi KC >> +Date: Mon, 26 Mar 2018 20:27:34 +0530 >> +Subject: [PATCH 1/3] shared storage: Prevent mounting shared storage from >> + non-trusted client >> + >> +gluster shared storage is a volume used for internal storage for >> +various features including ganesha, geo-rep, snapshot. >> + >> +So this volume should not be exposed to the client, as it is >> +a special volume for internal use. >> + >> +This fix wont't generate non trusted volfile for shared storage volume. >> + >> +Change-Id: I8ffe30ae99ec05196d75466210b84db311611a4c >> +fixes: bz#1568844 >> +BUG: 1568844 >> +Signed-off-by: Mohammed Rafi KC >> + >> +Upstream-Status: Backport >> +Fix CVE-2018-1088 >> + >> +Signed-off-by: Chen Qi >> + >> +--- >> + xlators/mgmt/glusterd/src/glusterd-volgen.c | 21 +++++++++++++++++++++ >> + 1 file changed, 21 insertions(+) >> + >> +diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c >> b/xlators/mgmt/glusterd/src/glusterd-volgen.c >> +index 0a0668e..308c41f 100644 >> +--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c >> ++++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c >> +@@ -5721,6 +5721,7 @@ generate_client_volfiles (glusterd_volinfo_t >> *volinfo, >> + int i = 0; >> + int ret = -1; >> + char filepath[PATH_MAX] = {0,}; >> ++ char *volname = NULL; >> + char *types[] = {NULL, NULL, NULL}; >> + dict_t *dict = NULL; >> + xlator_t *this = NULL; >> +@@ -5728,6 +5729,26 @@ generate_client_volfiles (glusterd_volinfo_t >> *volinfo, >> + >> + this = THIS; >> + >> ++ volname = volinfo->is_snap_volume ? >> ++ volinfo->parent_volname : volinfo->volname; >> ++ >> ++ >> ++ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) && >> ++ client_type != GF_CLIENT_TRUSTED) { >> ++ /* >> ++ * shared storage volume cannot be mounted from non >> trusted >> ++ * nodes. So we are not creating volfiles for >> non-trusted >> ++ * clients for shared volumes as well as snapshot of >> shared >> ++ * volumes. >> ++ */ >> ++ >> ++ ret = 0; >> ++ gf_msg_debug ("glusterd", 0, "Skipping the non-trusted >> volfile" >> ++ "creation for shared storage volume. >> Volume %s", >> ++ volname); >> ++ goto out; >> ++ } >> ++ >> + enumerate_transport_reqs (volinfo->transport_type, types); >> + dict = dict_new (); >> + if (!dict) >> +-- >> +2.7.4 >> + >> diff --git >> a/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch >> b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch >> new file mode 100644 >> index 0000000..8947f27 >> --- /dev/null >> +++ >> b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch >> @@ -0,0 +1,280 @@ >> +From a74ab3ab169add1e86aae0a99855211b948be021 Mon Sep 17 00:00:00 2001 >> +From: Mohammed Rafi KC >> +Date: Mon, 2 Apr 2018 12:20:47 +0530 >> +Subject: [PATCH 2/3] server/auth: add option for strict authentication >> + >> +When this option is enabled, we will check for a matching >> +username and password, if not found then the connection will >> +be rejected. This also does a checksum validation of volfile >> + >> +The option is invalid when SSL/TLS is in use, at which point >> +the SSL/TLS certificate user name is used to validate and >> +hence authorize the right user. This expects TLS allow rules >> +to be setup correctly rather than the default *. >> + >> +This option is not settable, as a result this cannot be enabled >> +for volumes using the CLI. This is used with the shared storage >> +volume, to restrict access to the same in non-SSL/TLS environments >> +to the gluster peers only. >> + >> +Tested: >> + ./tests/bugs/protocol/bug-1321578.t >> + ./tests/features/ssl-authz.t >> + - Ran tests on volumes with and without strict auth >> + checking (as brick vol file needed to be edited to test, >> + or rather to enable the option) >> + - Ran tests on volumes to ensure existing mounts are >> + disconnected when we enable strict checking >> + >> +Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59 >> +fixes: bz#1568844 >> +Signed-off-by: Mohammed Rafi KC >> +Signed-off-by: ShyamsundarR >> + >> +Upstream-Status: Backport >> +Fix CVE-2018-1088 >> + >> +Signed-off-by: Chen Qi >> + >> +--- >> + xlators/mgmt/glusterd/src/glusterd-volgen.c | 16 +++++++- >> + xlators/protocol/auth/login/src/login.c | 51 >> ++++++++++++++++++++++---- >> + xlators/protocol/server/src/authenticate.h | 4 +- >> + xlators/protocol/server/src/server-handshake.c | 2 +- >> + xlators/protocol/server/src/server.c | 18 +++++++++ >> + xlators/protocol/server/src/server.h | 2 + >> + 6 files changed, 81 insertions(+), 12 deletions(-) >> + >> +diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c >> b/xlators/mgmt/glusterd/src/glusterd-volgen.c >> +index 308c41f..8dd4907 100644 >> +--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c >> ++++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c >> +@@ -2250,6 +2250,7 @@ brick_graph_add_server (volgen_graph_t *graph, >> glusterd_volinfo_t *volinfo, >> + char *password = NULL; >> + char key[1024] = {0}; >> + char *ssl_user = NULL; >> ++ char *volname = NULL; >> + char *address_family_data = NULL; >> + >> + if (!graph || !volinfo || !set_dict || !brickinfo) >> +@@ -2325,6 +2326,19 @@ brick_graph_add_server (volgen_graph_t *graph, >> glusterd_volinfo_t *volinfo, >> + if (ret) >> + return -1; >> + >> ++ volname = volinfo->is_snap_volume ? >> ++ volinfo->parent_volname : volinfo->volname; >> ++ >> ++ >> ++ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) { >> ++ memset (key, 0, sizeof (key)); >> ++ snprintf (key, sizeof (key), "strict-auth-accept"); >> ++ >> ++ ret = xlator_set_option (xl, key, "true"); >> ++ if (ret) >> ++ return -1; >> ++ } >> ++ >> + if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == >> 0) { >> + memset (key, 0, sizeof (key)); >> + snprintf (key, sizeof (key), "auth.login.%s.ssl-allow", >> +@@ -5734,7 +5748,7 @@ generate_client_volfiles (glusterd_volinfo_t >> *volinfo, >> + >> + >> + if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) && >> +- client_type != GF_CLIENT_TRUSTED) { >> ++ client_type != GF_CLIENT_TRUSTED) { >> + /* >> + * shared storage volume cannot be mounted from non >> trusted >> + * nodes. So we are not creating volfiles for >> non-trusted >> +diff --git a/xlators/protocol/auth/login/src/login.c >> b/xlators/protocol/auth/login/src/login.c >> +index e799dd2..da10d0b 100644 >> +--- a/xlators/protocol/auth/login/src/login.c >> ++++ b/xlators/protocol/auth/login/src/login.c >> +@@ -11,6 +11,16 @@ >> + #include >> + #include "authenticate.h" >> + >> ++/* Note on strict_auth >> ++ * - Strict auth kicks in when authentication is using the username, >> password >> ++ * in the volfile to login >> ++ * - If enabled, auth is rejected if the username and password is not >> matched >> ++ * or is not present >> ++ * - When using SSL names, this is automatically strict, and allows only >> those >> ++ * names that are present in the allow list, IOW strict auth checking >> has no >> ++ * implication when using SSL names >> ++*/ >> ++ >> + auth_result_t gf_auth (dict_t *input_params, dict_t *config_params) >> + { >> + auth_result_t result = AUTH_DONT_CARE; >> +@@ -27,6 +37,7 @@ auth_result_t gf_auth (dict_t *input_params, dict_t >> *config_params) >> + char *tmp = NULL; >> + char *username_cpy = NULL; >> + gf_boolean_t using_ssl = _gf_false; >> ++ gf_boolean_t strict_auth = _gf_false; >> + >> + username_data = dict_get (input_params, "ssl-name"); >> + if (username_data) { >> +@@ -35,16 +46,39 @@ auth_result_t gf_auth (dict_t *input_params, dict_t >> *config_params) >> + using_ssl = _gf_true; >> + } >> + else { >> ++ ret = dict_get_str_boolean (config_params, >> "strict-auth-accept", >> ++ _gf_false); >> ++ if (ret == -1) >> ++ strict_auth = _gf_false; >> ++ else >> ++ strict_auth = ret; >> ++ >> + username_data = dict_get (input_params, "username"); >> + if (!username_data) { >> +- gf_log ("auth/login", GF_LOG_DEBUG, >> +- "username not found, returning >> DONT-CARE"); >> ++ if (strict_auth) { >> ++ gf_log ("auth/login", GF_LOG_DEBUG, >> ++ "username not found, strict >> auth" >> ++ " configured returning REJECT"); >> ++ result = AUTH_REJECT; >> ++ } else { >> ++ gf_log ("auth/login", GF_LOG_DEBUG, >> ++ "username not found, returning" >> ++ " DONT-CARE"); >> ++ } >> + goto out; >> + } >> + password_data = dict_get (input_params, "password"); >> + if (!password_data) { >> +- gf_log ("auth/login", GF_LOG_WARNING, >> +- "password not found, returning >> DONT-CARE"); >> ++ if (strict_auth) { >> ++ gf_log ("auth/login", GF_LOG_DEBUG, >> ++ "password not found, strict >> auth" >> ++ " configured returning REJECT"); >> ++ result = AUTH_REJECT; >> ++ } else { >> ++ gf_log ("auth/login", GF_LOG_WARNING, >> ++ "password not found, returning" >> ++ " DONT-CARE"); >> ++ } >> + goto out; >> + } >> + password = data_to_str (password_data); >> +@@ -62,9 +96,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t >> *config_params) >> + ret = gf_asprintf (&searchstr, "auth.login.%s.%s", brick_name, >> + using_ssl ? "ssl-allow" : "allow"); >> + if (-1 == ret) { >> +- gf_log ("auth/login", GF_LOG_WARNING, >> ++ gf_log ("auth/login", GF_LOG_ERROR, >> + "asprintf failed while setting search string, " >> +- "returning DONT-CARE"); >> ++ "returning REJECT"); >> ++ result = AUTH_REJECT; >> + goto out; >> + } >> + >> +@@ -92,8 +127,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t >> *config_params) >> + * ssl-allow=* case as well) authorization is >> effectively >> + * disabled, though authentication and encryption are >> still >> + * active. >> ++ * >> ++ * Read NOTE on strict_auth above. >> + */ >> +- if (using_ssl) { >> ++ if (using_ssl || strict_auth) { >> + result = AUTH_REJECT; >> + } >> + username_cpy = gf_strdup (allow_user->data); >> +diff --git a/xlators/protocol/server/src/authenticate.h >> b/xlators/protocol/server/src/authenticate.h >> +index 3f80231..5f92183 100644 >> +--- a/xlators/protocol/server/src/authenticate.h >> ++++ b/xlators/protocol/server/src/authenticate.h >> +@@ -37,10 +37,8 @@ typedef struct { >> + volume_opt_list_t *vol_opt; >> + } auth_handle_t; >> + >> +-auth_result_t gf_authenticate (dict_t *input_params, >> +- dict_t *config_params, >> +- dict_t *auth_modules); >> + int32_t gf_auth_init (xlator_t *xl, dict_t *auth_modules); >> + void gf_auth_fini (dict_t *auth_modules); >> ++auth_result_t gf_authenticate (dict_t *, dict_t *, dict_t *); >> + >> + #endif /* _AUTHENTICATE_H */ >> +diff --git a/xlators/protocol/server/src/server-handshake.c >> b/xlators/protocol/server/src/server-handshake.c >> +index f00804a..392a101 100644 >> +--- a/xlators/protocol/server/src/server-handshake.c >> ++++ b/xlators/protocol/server/src/server-handshake.c >> +@@ -631,7 +631,7 @@ server_setvolume (rpcsvc_request_t *req) >> + ret = dict_get_str (params, "volfile-key", >> + &volfile_key); >> + if (ret) >> +- gf_msg_debug (this->name, 0, "failed to >> set " >> ++ gf_msg_debug (this->name, 0, "failed to >> get " >> + "'volfile-key'"); >> + >> + ret = _validate_volfile_checksum (this, >> volfile_key, >> +diff --git a/xlators/protocol/server/src/server.c >> b/xlators/protocol/server/src/server.c >> +index 202fe71..61c6194 100644 >> +--- a/xlators/protocol/server/src/server.c >> ++++ b/xlators/protocol/server/src/server.c >> +@@ -883,6 +883,10 @@ do_rpc: >> + goto out; >> + } >> + >> ++ GF_OPTION_RECONF ("strict-auth-accept", >> conf->strict_auth_enabled, >> ++ options, bool, out); >> ++ >> ++ >> + GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options, >> + bool, out); >> + >> +@@ -1113,6 +1117,14 @@ init (xlator_t *this) >> + "Failed to initialize group cache."); >> + goto out; >> + } >> ++ >> ++ ret = dict_get_str_boolean (this->options, "strict-auth-accept", >> ++ _gf_false); >> ++ if (ret == -1) >> ++ conf->strict_auth_enabled = _gf_false; >> ++ else >> ++ conf->strict_auth_enabled = ret; >> ++ >> + ret = dict_get_str_boolean (this->options, "dynamic-auth", >> + _gf_true); >> + if (ret == -1) >> +@@ -1667,5 +1679,11 @@ struct volume_options options[] = { >> + "transport connection immediately in response >> to " >> + "*.allow | *.reject volume set options." >> + }, >> ++ { .key = {"strict-auth-accept"}, >> ++ .type = GF_OPTION_TYPE_BOOL, >> ++ .default_value = "off", >> ++ .description = "strict-auth-accept reject connection with >> out" >> ++ "a valid username and password." >> ++ }, >> + { .key = {NULL} }, >> + }; >> +diff --git a/xlators/protocol/server/src/server.h >> b/xlators/protocol/server/src/server.h >> +index 0b37eb1..7eea291 100644 >> +--- a/xlators/protocol/server/src/server.h >> ++++ b/xlators/protocol/server/src/server.h >> +@@ -24,6 +24,7 @@ >> + #include "client_t.h" >> + #include "gidcache.h" >> + #include "defaults.h" >> ++#include "authenticate.h" >> + >> + #define DEFAULT_BLOCK_SIZE 4194304 /* 4MB */ >> + #define DEFAULT_VOLUME_FILE_PATH CONFDIR "/glusterfs.vol" >> +@@ -105,6 +106,7 @@ struct server_conf { >> + * false, when child is down >> */ >> + >> + gf_lock_t itable_lock; >> ++ gf_boolean_t strict_auth_enabled; >> + }; >> + typedef struct server_conf server_conf_t; >> + >> +-- >> +2.7.4 >> + >> diff --git a/recipes-extended/glusterfs/glusterfs.inc >> b/recipes-extended/glusterfs/glusterfs.inc >> index 02c8a6a..8bf5653 100644 >> --- a/recipes-extended/glusterfs/glusterfs.inc >> +++ b/recipes-extended/glusterfs/glusterfs.inc >> @@ -20,6 +20,8 @@ SRC_URI += "file://glusterd.init \ >> file://libglusterfs-Don-t-link-against-libfl.patch \ >> file://glusterd-change-port-range.patch \ >> >> file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \ >> + >> file://0001-shared-storage-Prevent-mounting-shared-storage-from-.patch \ >> + >> file://0002-server-auth-add-option-for-strict-authentication.patch \ >> " >> LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & >> LGPLv2.1+ & Apache-2.0" > > > > -- > _______________________________________________ > meta-virtualization mailing list > meta-virtualization@yoctoproject.org > https://lists.yoctoproject.org/listinfo/meta-virtualization -- "Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end"