libnfsidmap built without hardening flags
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nfs-utils (Ubuntu) |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Jammy |
Won't Fix
|
Undecided
|
Andreas Hasenack |
Bug Description
[Impact]
Hardening build flags are an integral part of Ubuntu security[1], and were accidentally dropped from nfs-utils when the merge for version 2.6.x happened during the jammy development cycle.
Check that link[1] for "Built with BIND_NOW".
[Test Plan]
The test plan is to inspect the build logs(old logs at [2]) and verify hardening was applied. In particular:
- verify that -Wl,-z,now is being used now, and it wasn't before (linker stage)
Another way to check is to run hardening-check, from the ubuntu-dev-tools package, on each binary object from the package, and verify that "Immediate binding" changed from "no" (previous package) to "yes":
$ for n in $(dpkg -L libnfsidmap1 | grep \\.so); do hardening-check $n > $(basename $n).txt; done
$ for n in $(dpkg -L nfs-common|grep bin/); do hardening-check $n > $(basename $n).txt; done
$ for n in $(dpkg -L nfs-kernel-
$ grep Immediate *.txt
blkmapd.txt: Immediate binding: yes
exportfs.txt: Immediate binding: yes
libnfsidmap.
libnfsidmap.
mount.nfs.txt: Immediate binding: yes
mount.nfs4.txt: Immediate binding: yes
nfsconf.txt: Immediate binding: yes
nfsdcld.txt: Immediate binding: yes
nfsdcltrack.txt: Immediate binding: yes
nfsidmap.txt: Immediate binding: yes
nfsstat.txt: Immediate binding: yes
nsswitch.so.txt: Immediate binding: yes
rpc.gssd.txt: Immediate binding: yes
rpc.idmapd.txt: Immediate binding: yes
rpc.mountd.txt: Immediate binding: yes
rpc.nfsd.txt: Immediate binding: yes
rpc.statd.txt: Immediate binding: yes
rpc.svcgssd.txt: Immediate binding: yes
rpcdebug.txt: Immediate binding: yes
showmount.txt: Immediate binding: yes
sm-notify.txt: Immediate binding: yes
static.so.txt: Immediate binding: yes
umich_ldap.so.txt: Immediate binding: yes
umount.nfs.txt: Immediate binding: yes
umount.nfs4.txt: Immediate binding: yes
[Where problems could occur]
This is rebuilding a package with new compiler flags, even though they were there before. Regressions for such cases are either very quickly caught, or only when a bigger user base tries the changes out. In the case of nfs, it seems worth the risk, since it's a privileged service that deals with network data.
[Other Info]
I cleared[3] this with #security, and they deemed this worth including in an existing nfs-utils SRU, which is what I'm doing for bug #1977745.
1. https:/
https:/
3. https:/
[Original Description]
$ grep hardening ../lintian.log
I: libnfsidmap-regex: hardening-
I: libnfsidmap1: hardening-
I: libnfsidmap1: hardening-
I: libnfsidmap1: hardening-
I: libnfsidmap1: hardening-
I: libnfsidmap-regex: hardening-
It was there before when we had src:libnfsidmap: https:/
But we lost it when src:nfs-utils incorporated the libnfsidmap code.
Related branches
- git-ubuntu bot: Approve
- Christian Ehrhardt (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 2013 lines (+1660/-8)22 files modifieddebian/README.Ubuntu (+30/-0)
debian/changelog (+1229/-0)
debian/control (+17/-6)
debian/libnfsidmap-regex.install (+1/-0)
debian/libnfsidmap1.docs (+1/-0)
debian/libnfsidmap1.install (+3/-1)
debian/nfs-common.dirs (+1/-0)
debian/nfs-common.docs (+1/-0)
debian/nfs-common.postrm (+1/-0)
debian/not-installed (+3/-0)
debian/patches/nfs-conf-manpage-missing-svcgssd-options.patch (+19/-0)
debian/patches/series (+5/-0)
debian/patches/svcgssd-display-principal-if-set.patch (+37/-0)
debian/patches/svcgssd-document-missing-options.patch (+44/-0)
debian/patches/svcgssd-fix-use-after-free.patch (+45/-0)
debian/patches/ubuntu-idmapd-manpage-update-regex-other-package.patch (+12/-0)
debian/rules (+7/-1)
debian/source.apport (+32/-0)
debian/tests/control (+11/-0)
debian/tests/kerberos-mount (+38/-0)
debian/tests/util (+89/-0)
debian/tests/v3-mount (+34/-0)
description: | updated |
description: | updated |
description: | updated |
Changed in nfs-utils (Ubuntu Jammy): | |
status: | New → In Progress |
assignee: | nobody → Andreas Hasenack (ahasenack) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
This bug was fixed in the package nfs-utils - 1:2.6.1-2ubuntu1
---------------
nfs-utils (1:2.6.1-2ubuntu1) kinetic; urgency=medium
* Merge with Debian unstable (LP: #1974233). Remaining changes: libnfsidmap- regex which is in Universe (MIR: #1960824) install: don't install regex.so regex-from- docs.patch: remove the regex section from docs, d/nfs-common.docs: install README.Ubuntu postrm: also purge /etc/nfs. conf.d/ local.conf kerberos- mount,util} : test NFSv4 krb5p mounts etc/nfs. conf.d/ *.conf regex.install: install the plugin file regex-from- docs.patch: deleted idmapd- manpage- update- regex-other- package. patch: fix-use- after-free. patch: fix use-after-free which was display- principal- if-set. patch: improve logging, document- missing- options. patch: add missing options to conf-manpage- missing- svcgssd- options. patch: also
- d/control: don't provide libnfsidmap2 in libnfsidmap1. This
package contains not only plugins, but an actual shared library,
with a different soname.
- Don't install the regex module, as it's built by
src:
+ d/control: don't conflict/break/etc with libnfsidmap-regex
+ d/libnfsidmap1.
+ d/not-installed: mark files we knowingly don't include in the
packaging
+ d/p/remove-
the idmapd.conf(5) manpage, as we are not building that plugin in
this package
- Update README file:
+ d/README.Ubuntu: new /etc/nfs.conf config structure
+ d/libnfsidmap1.
- d/nfs-common.
- d/nfs-common.dirs: we also own /etc/nfs.conf.d
- New apport hook (LP #1961058):
+ d/source.apport: apport hook for nfs-utils
+ d/control: build-depend dh-apport
+ d/rules: build with apport, and install the hook in the
nfs-common package which is installed on both client and servers
- Add more DEP8 tests (LP #1960828):
+ d/t/{control,
+ d/t/{control, v3-moun}t: specific NFSv3 mount test
* Dropped:
- d/nfsconvert.py: add short "u" option for mountd's no-udp
[Included in 1:2.6.1-2]
- d/NEWS: explain some of the major changes in 2.6.x
[Obsoleted by Debian's update to the per-package NEWS files]
- d/nfs-*.bug-script: update to also include /etc/nfs.conf and
/
[Included in 1:2.6.1-2]
* Added changes:
- New binary package libnfsidmap-regex (LP: #1974067):
+ d/control: new package
+ d/libnfsidmap-
+ d/not-installed: remove the plugin from the not-installed list
+ d/p/remove-
+ d/p/ubuntu-
note that the regex plugin is in another package
- rpc.svcgssd fixes and improvements (LP: #1977745):
+ d/p/svcgssd-
preventing svcgssd options set in /etc/nfs.conf from being used
+ d/p/svcgssd-
showing the expected principal name if it was set in the config
+ d/p/svcgssd-
the svcgssd manpage
+ d/p/nfs-
document the missing svcgssd options to the nfs.conf(5) manpage
- d/README.Ubuntu: updated with the content of the previous d/NEWS
file
- d/rules: re-add hardening option lost from the src:libnfsidmap to
src:nfs-utils transition (LP: #1980095)
-- Andreas Hasenack <email address hidden> Tue, 28 Jun 2022 10:59...