[meta-virtualization] [m-c-s][PATCH V2 1/2] glusterfs: fix CVE-2018-1088
ChenQi
Qi.Chen at windriver.com
Mon Sep 17 18:34:33 PDT 2018
ping
On 09/13/2018 06:15 PM, Chen Qi wrote:
> Backport patches to fix the following CVE.
>
> CVE: CVE-2018-1088
>
> Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
> ---
> ...age-Prevent-mounting-shared-storage-from-.patch | 70 ++++++
> ...auth-add-option-for-strict-authentication.patch | 280 +++++++++++++++++++++
> recipes-extended/glusterfs/glusterfs.inc | 2 +
> 3 files changed, 352 insertions(+)
> create mode 100644 recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch
> create mode 100644 recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch
>
> diff --git a/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch
> new file mode 100644
> index 0000000..0e24c56
> --- /dev/null
> +++ b/recipes-extended/glusterfs/files/0001-shared-storage-Prevent-mounting-shared-storage-from-.patch
> @@ -0,0 +1,70 @@
> +From d1936056d77abcfda14386235a88ed553341a429 Mon Sep 17 00:00:00 2001
> +From: Mohammed Rafi KC <rkavunga at redhat.com>
> +Date: Mon, 26 Mar 2018 20:27:34 +0530
> +Subject: [PATCH 1/3] shared storage: Prevent mounting shared storage from
> + non-trusted client
> +
> +gluster shared storage is a volume used for internal storage for
> +various features including ganesha, geo-rep, snapshot.
> +
> +So this volume should not be exposed to the client, as it is
> +a special volume for internal use.
> +
> +This fix wont't generate non trusted volfile for shared storage volume.
> +
> +Change-Id: I8ffe30ae99ec05196d75466210b84db311611a4c
> +fixes: bz#1568844
> +BUG: 1568844
> +Signed-off-by: Mohammed Rafi KC <rkavunga at redhat.com>
> +
> +Upstream-Status: Backport
> +Fix CVE-2018-1088
> +
> +Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
> +
> +---
> + xlators/mgmt/glusterd/src/glusterd-volgen.c | 21 +++++++++++++++++++++
> + 1 file changed, 21 insertions(+)
> +
> +diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
> +index 0a0668e..308c41f 100644
> +--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
> ++++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
> +@@ -5721,6 +5721,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
> + int i = 0;
> + int ret = -1;
> + char filepath[PATH_MAX] = {0,};
> ++ char *volname = NULL;
> + char *types[] = {NULL, NULL, NULL};
> + dict_t *dict = NULL;
> + xlator_t *this = NULL;
> +@@ -5728,6 +5729,26 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
> +
> + this = THIS;
> +
> ++ volname = volinfo->is_snap_volume ?
> ++ volinfo->parent_volname : volinfo->volname;
> ++
> ++
> ++ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
> ++ client_type != GF_CLIENT_TRUSTED) {
> ++ /*
> ++ * shared storage volume cannot be mounted from non trusted
> ++ * nodes. So we are not creating volfiles for non-trusted
> ++ * clients for shared volumes as well as snapshot of shared
> ++ * volumes.
> ++ */
> ++
> ++ ret = 0;
> ++ gf_msg_debug ("glusterd", 0, "Skipping the non-trusted volfile"
> ++ "creation for shared storage volume. Volume %s",
> ++ volname);
> ++ goto out;
> ++ }
> ++
> + enumerate_transport_reqs (volinfo->transport_type, types);
> + dict = dict_new ();
> + if (!dict)
> +--
> +2.7.4
> +
> diff --git a/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch
> new file mode 100644
> index 0000000..8947f27
> --- /dev/null
> +++ b/recipes-extended/glusterfs/files/0002-server-auth-add-option-for-strict-authentication.patch
> @@ -0,0 +1,280 @@
> +From a74ab3ab169add1e86aae0a99855211b948be021 Mon Sep 17 00:00:00 2001
> +From: Mohammed Rafi KC <rkavunga at redhat.com>
> +Date: Mon, 2 Apr 2018 12:20:47 +0530
> +Subject: [PATCH 2/3] server/auth: add option for strict authentication
> +
> +When this option is enabled, we will check for a matching
> +username and password, if not found then the connection will
> +be rejected. This also does a checksum validation of volfile
> +
> +The option is invalid when SSL/TLS is in use, at which point
> +the SSL/TLS certificate user name is used to validate and
> +hence authorize the right user. This expects TLS allow rules
> +to be setup correctly rather than the default *.
> +
> +This option is not settable, as a result this cannot be enabled
> +for volumes using the CLI. This is used with the shared storage
> +volume, to restrict access to the same in non-SSL/TLS environments
> +to the gluster peers only.
> +
> +Tested:
> + ./tests/bugs/protocol/bug-1321578.t
> + ./tests/features/ssl-authz.t
> + - Ran tests on volumes with and without strict auth
> + checking (as brick vol file needed to be edited to test,
> + or rather to enable the option)
> + - Ran tests on volumes to ensure existing mounts are
> + disconnected when we enable strict checking
> +
> +Change-Id: I2ac4f0cfa5b59cc789cc5a265358389b04556b59
> +fixes: bz#1568844
> +Signed-off-by: Mohammed Rafi KC <rkavunga at redhat.com>
> +Signed-off-by: ShyamsundarR <srangana at redhat.com>
> +
> +Upstream-Status: Backport
> +Fix CVE-2018-1088
> +
> +Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
> +
> +---
> + xlators/mgmt/glusterd/src/glusterd-volgen.c | 16 +++++++-
> + xlators/protocol/auth/login/src/login.c | 51 ++++++++++++++++++++++----
> + xlators/protocol/server/src/authenticate.h | 4 +-
> + xlators/protocol/server/src/server-handshake.c | 2 +-
> + xlators/protocol/server/src/server.c | 18 +++++++++
> + xlators/protocol/server/src/server.h | 2 +
> + 6 files changed, 81 insertions(+), 12 deletions(-)
> +
> +diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
> +index 308c41f..8dd4907 100644
> +--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
> ++++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
> +@@ -2250,6 +2250,7 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
> + char *password = NULL;
> + char key[1024] = {0};
> + char *ssl_user = NULL;
> ++ char *volname = NULL;
> + char *address_family_data = NULL;
> +
> + if (!graph || !volinfo || !set_dict || !brickinfo)
> +@@ -2325,6 +2326,19 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo,
> + if (ret)
> + return -1;
> +
> ++ volname = volinfo->is_snap_volume ?
> ++ volinfo->parent_volname : volinfo->volname;
> ++
> ++
> ++ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE)) {
> ++ memset (key, 0, sizeof (key));
> ++ snprintf (key, sizeof (key), "strict-auth-accept");
> ++
> ++ ret = xlator_set_option (xl, key, "true");
> ++ if (ret)
> ++ return -1;
> ++ }
> ++
> + if (dict_get_str (volinfo->dict, "auth.ssl-allow", &ssl_user) == 0) {
> + memset (key, 0, sizeof (key));
> + snprintf (key, sizeof (key), "auth.login.%s.ssl-allow",
> +@@ -5734,7 +5748,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
> +
> +
> + if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
> +- client_type != GF_CLIENT_TRUSTED) {
> ++ client_type != GF_CLIENT_TRUSTED) {
> + /*
> + * shared storage volume cannot be mounted from non trusted
> + * nodes. So we are not creating volfiles for non-trusted
> +diff --git a/xlators/protocol/auth/login/src/login.c b/xlators/protocol/auth/login/src/login.c
> +index e799dd2..da10d0b 100644
> +--- a/xlators/protocol/auth/login/src/login.c
> ++++ b/xlators/protocol/auth/login/src/login.c
> +@@ -11,6 +11,16 @@
> + #include <fnmatch.h>
> + #include "authenticate.h"
> +
> ++/* Note on strict_auth
> ++ * - Strict auth kicks in when authentication is using the username, password
> ++ * in the volfile to login
> ++ * - If enabled, auth is rejected if the username and password is not matched
> ++ * or is not present
> ++ * - When using SSL names, this is automatically strict, and allows only those
> ++ * names that are present in the allow list, IOW strict auth checking has no
> ++ * implication when using SSL names
> ++*/
> ++
> + auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
> + {
> + auth_result_t result = AUTH_DONT_CARE;
> +@@ -27,6 +37,7 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
> + char *tmp = NULL;
> + char *username_cpy = NULL;
> + gf_boolean_t using_ssl = _gf_false;
> ++ gf_boolean_t strict_auth = _gf_false;
> +
> + username_data = dict_get (input_params, "ssl-name");
> + if (username_data) {
> +@@ -35,16 +46,39 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
> + using_ssl = _gf_true;
> + }
> + else {
> ++ ret = dict_get_str_boolean (config_params, "strict-auth-accept",
> ++ _gf_false);
> ++ if (ret == -1)
> ++ strict_auth = _gf_false;
> ++ else
> ++ strict_auth = ret;
> ++
> + username_data = dict_get (input_params, "username");
> + if (!username_data) {
> +- gf_log ("auth/login", GF_LOG_DEBUG,
> +- "username not found, returning DONT-CARE");
> ++ if (strict_auth) {
> ++ gf_log ("auth/login", GF_LOG_DEBUG,
> ++ "username not found, strict auth"
> ++ " configured returning REJECT");
> ++ result = AUTH_REJECT;
> ++ } else {
> ++ gf_log ("auth/login", GF_LOG_DEBUG,
> ++ "username not found, returning"
> ++ " DONT-CARE");
> ++ }
> + goto out;
> + }
> + password_data = dict_get (input_params, "password");
> + if (!password_data) {
> +- gf_log ("auth/login", GF_LOG_WARNING,
> +- "password not found, returning DONT-CARE");
> ++ if (strict_auth) {
> ++ gf_log ("auth/login", GF_LOG_DEBUG,
> ++ "password not found, strict auth"
> ++ " configured returning REJECT");
> ++ result = AUTH_REJECT;
> ++ } else {
> ++ gf_log ("auth/login", GF_LOG_WARNING,
> ++ "password not found, returning"
> ++ " DONT-CARE");
> ++ }
> + goto out;
> + }
> + password = data_to_str (password_data);
> +@@ -62,9 +96,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
> + ret = gf_asprintf (&searchstr, "auth.login.%s.%s", brick_name,
> + using_ssl ? "ssl-allow" : "allow");
> + if (-1 == ret) {
> +- gf_log ("auth/login", GF_LOG_WARNING,
> ++ gf_log ("auth/login", GF_LOG_ERROR,
> + "asprintf failed while setting search string, "
> +- "returning DONT-CARE");
> ++ "returning REJECT");
> ++ result = AUTH_REJECT;
> + goto out;
> + }
> +
> +@@ -92,8 +127,10 @@ auth_result_t gf_auth (dict_t *input_params, dict_t *config_params)
> + * ssl-allow=* case as well) authorization is effectively
> + * disabled, though authentication and encryption are still
> + * active.
> ++ *
> ++ * Read NOTE on strict_auth above.
> + */
> +- if (using_ssl) {
> ++ if (using_ssl || strict_auth) {
> + result = AUTH_REJECT;
> + }
> + username_cpy = gf_strdup (allow_user->data);
> +diff --git a/xlators/protocol/server/src/authenticate.h b/xlators/protocol/server/src/authenticate.h
> +index 3f80231..5f92183 100644
> +--- a/xlators/protocol/server/src/authenticate.h
> ++++ b/xlators/protocol/server/src/authenticate.h
> +@@ -37,10 +37,8 @@ typedef struct {
> + volume_opt_list_t *vol_opt;
> + } auth_handle_t;
> +
> +-auth_result_t gf_authenticate (dict_t *input_params,
> +- dict_t *config_params,
> +- dict_t *auth_modules);
> + int32_t gf_auth_init (xlator_t *xl, dict_t *auth_modules);
> + void gf_auth_fini (dict_t *auth_modules);
> ++auth_result_t gf_authenticate (dict_t *, dict_t *, dict_t *);
> +
> + #endif /* _AUTHENTICATE_H */
> +diff --git a/xlators/protocol/server/src/server-handshake.c b/xlators/protocol/server/src/server-handshake.c
> +index f00804a..392a101 100644
> +--- a/xlators/protocol/server/src/server-handshake.c
> ++++ b/xlators/protocol/server/src/server-handshake.c
> +@@ -631,7 +631,7 @@ server_setvolume (rpcsvc_request_t *req)
> + ret = dict_get_str (params, "volfile-key",
> + &volfile_key);
> + if (ret)
> +- gf_msg_debug (this->name, 0, "failed to set "
> ++ gf_msg_debug (this->name, 0, "failed to get "
> + "'volfile-key'");
> +
> + ret = _validate_volfile_checksum (this, volfile_key,
> +diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
> +index 202fe71..61c6194 100644
> +--- a/xlators/protocol/server/src/server.c
> ++++ b/xlators/protocol/server/src/server.c
> +@@ -883,6 +883,10 @@ do_rpc:
> + goto out;
> + }
> +
> ++ GF_OPTION_RECONF ("strict-auth-accept", conf->strict_auth_enabled,
> ++ options, bool, out);
> ++
> ++
> + GF_OPTION_RECONF ("dynamic-auth", conf->dync_auth, options,
> + bool, out);
> +
> +@@ -1113,6 +1117,14 @@ init (xlator_t *this)
> + "Failed to initialize group cache.");
> + goto out;
> + }
> ++
> ++ ret = dict_get_str_boolean (this->options, "strict-auth-accept",
> ++ _gf_false);
> ++ if (ret == -1)
> ++ conf->strict_auth_enabled = _gf_false;
> ++ else
> ++ conf->strict_auth_enabled = ret;
> ++
> + ret = dict_get_str_boolean (this->options, "dynamic-auth",
> + _gf_true);
> + if (ret == -1)
> +@@ -1667,5 +1679,11 @@ struct volume_options options[] = {
> + "transport connection immediately in response to "
> + "*.allow | *.reject volume set options."
> + },
> ++ { .key = {"strict-auth-accept"},
> ++ .type = GF_OPTION_TYPE_BOOL,
> ++ .default_value = "off",
> ++ .description = "strict-auth-accept reject connection with out"
> ++ "a valid username and password."
> ++ },
> + { .key = {NULL} },
> + };
> +diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h
> +index 0b37eb1..7eea291 100644
> +--- a/xlators/protocol/server/src/server.h
> ++++ b/xlators/protocol/server/src/server.h
> +@@ -24,6 +24,7 @@
> + #include "client_t.h"
> + #include "gidcache.h"
> + #include "defaults.h"
> ++#include "authenticate.h"
> +
> + #define DEFAULT_BLOCK_SIZE 4194304 /* 4MB */
> + #define DEFAULT_VOLUME_FILE_PATH CONFDIR "/glusterfs.vol"
> +@@ -105,6 +106,7 @@ struct server_conf {
> + * false, when child is down */
> +
> + gf_lock_t itable_lock;
> ++ gf_boolean_t strict_auth_enabled;
> + };
> + typedef struct server_conf server_conf_t;
> +
> +--
> +2.7.4
> +
> diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc
> index 02c8a6a..8bf5653 100644
> --- a/recipes-extended/glusterfs/glusterfs.inc
> +++ b/recipes-extended/glusterfs/glusterfs.inc
> @@ -20,6 +20,8 @@ SRC_URI += "file://glusterd.init \
> file://libglusterfs-Don-t-link-against-libfl.patch \
> file://glusterd-change-port-range.patch \
> file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \
> + file://0001-shared-storage-Prevent-mounting-shared-storage-from-.patch \
> + file://0002-server-auth-add-option-for-strict-authentication.patch \
> "
>
> LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0"
More information about the meta-virtualization
mailing list