rpms/autofs/F-8 autofs-5.0.2-hosts-nosuid-default.patch, NONE, 1.1 autofs.spec, 1.224, 1.225

Ian Kent (iankent) fedora-extras-commits at redhat.com
Thu Dec 13 07:58:11 UTC 2007 

Author: iankent

Update of /cvs/pkgs/rpms/autofs/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv32268

Modified Files:
	autofs.spec 
Added Files:
	autofs-5.0.2-hosts-nosuid-default.patch 
Log Message:
* Thu Dec 13 2007 Ian Kent <ikent at redhat.com> - 5.0.2-18
- Bug 421361: CVE-2007-5964 autofs defaults don't restrict suid in /net [f8]
  - use mount option "nosuid" for "-hosts" map unless "suid" is explicily specified.


autofs-5.0.2-hosts-nosuid-default.patch:

--- NEW FILE autofs-5.0.2-hosts-nosuid-default.patch ---
diff --git a/man/auto.master.5.in b/man/auto.master.5.in
index d488960..56aaa5d 100644
--- a/man/auto.master.5.in
+++ b/man/auto.master.5.in
@@ -195,6 +195,9 @@ For example, with an entry in the master map of
 .hy
 accessing /net/myserver will mount exports from myserver on directories below
 /net/myserver.
+.P
+NOTE: mounts done from a hosts map will be mounted with the "nosuid" option
+unless the "suid" option is explicitly given in the master map entry.
 .SH LDAP MAPS
 If the map type \fBldap\fP is specified the mapname is of the form
 \fB[//servername/]dn\fP, where the optional \fBservername\fP is
diff --git a/modules/parse_sun.c b/modules/parse_sun.c
index 186e567..9a97329 100644
--- a/modules/parse_sun.c
+++ b/modules/parse_sun.c
@@ -496,6 +496,7 @@ static int sun_mount(struct autofs_point *ap, const char *root,
 	int rv, cur_state;
 	char *mountpoint;
 	char *what;
+	char *type;
 
 	if (*options == '\0')
 		options = NULL;
@@ -585,6 +586,36 @@ static int sun_mount(struct autofs_point *ap, const char *root,
 	mountpoint = alloca(namelen + 1);
 	sprintf(mountpoint, "%.*s", namelen, name);
 
+	type = ap->entry->maps->type;
+	if (type && !strcmp(type, "hosts")) {
+		if (options) {
+			if (!strstr(options, "suid")) {
+				char *tmp = alloca(strlen(options) + 8);
+				if (!tmp) {
+					error(ap->logopt, MODPREFIX
+					      "alloca failed for options");
+					if (nonstrict)
+						return -1;
+					return 1;
+				}
+				strcpy(tmp, options);
+				strcat(tmp, ",nosuid");
+				options = tmp;
+			}
+		} else {
+			char *tmp = alloca(7);
+			if (!tmp) {
+				error(ap->logopt,
+				      MODPREFIX "alloca failed for options");
+				if (nonstrict)
+					return -1;
+				return 1;
+			}
+			strcpy(tmp, "nosuid");
+			options = tmp;
+		}
+	}
+
 	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &cur_state);
 	if (!strcmp(fstype, "nfs")) {
 		what = alloca(loclen + 1);
diff --git a/samples/auto.master b/samples/auto.master
index d4796a3..4995976 100644
--- a/samples/auto.master
+++ b/samples/auto.master
@@ -5,6 +5,11 @@
 # For details of the format look at autofs(5).
 #
 /misc	/etc/auto.misc
+#
+# NOTE: mounts done from a hosts map will be mounted with the
+#	"nosuid" option unless the "suid" option is explicitly
+#	given.
+#
 /net	-hosts
 #
 # Include central master map if it can be found using


Index: autofs.spec
===================================================================
RCS file: /cvs/pkgs/rpms/autofs/F-8/autofs.spec,v
retrieving revision 1.224
retrieving revision 1.225
diff -u -r1.224 -r1.225
--- autofs.spec	20 Nov 2007 07:54:34 -0000	1.224
+++ autofs.spec	13 Dec 2007 07:57:37 -0000	1.225
@@ -4,7 +4,7 @@
 Summary: A tool for automatically mounting and unmounting filesystems
 Name: autofs
 Version: 5.0.2
-Release: 17
+Release: 18
 Epoch: 1
 License: GPL
 Group: System Environment/Daemons
@@ -55,6 +55,7 @@
 Patch42: autofs-5.0.2-report-failed-lookups.patch
 Patch43: autofs-5.0.2-dynamic-logging-non-sasl.patch
 Patch44: autofs-5.0.2-singleton-host-list.patch
+Patch45: autofs-5.0.2-hosts-nosuid-default.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf, hesiod-devel, openldap-devel, bison, flex, libxml2-devel, cyrus-sasl-devel, openssl-devel module-init-tools util-linux nfs-utils e2fsprogs
 Conflicts: kernel < 2.6.17
@@ -141,6 +142,7 @@
 %patch42 -p1 
 %patch43 -p1
 %patch44 -p1
+%patch45 -p1
 
 %build
 #CFLAGS="$RPM_OPT_FLAGS" ./configure --prefix=/usr --libdir=%{_libdir}
@@ -193,6 +195,10 @@
 %{_libdir}/autofs/
 
 %changelog
+* Thu Dec 13 2007 Ian Kent <ikent at redhat.com> - 5.0.2-18
+- Bug 421361: CVE-2007-5964 autofs defaults don't restrict suid in /net [f8]
+  - use mount option "nosuid" for "-hosts" map unless "suid" is explicily specified.
+
 * Tue Nov 20 2007 Ian Kent <ikent at redhat.com> - 5.0.2-17
 - fix schema selection in LDAP schema discovery.
 - check for "*" when looking up wildcard in LDAP.

More information about the fedora-extras-commits mailing list