Blob Blame Raw
diff -up nfs-utils-1.2.4/aclocal/rpcsec_vers.m4.orig nfs-utils-1.2.4/aclocal/rpcsec_vers.m4
--- nfs-utils-1.2.4/aclocal/rpcsec_vers.m4.orig	2011-06-30 09:00:42.000000000 -0400
+++ nfs-utils-1.2.4/aclocal/rpcsec_vers.m4	2011-07-21 14:30:55.574408000 -0400
@@ -1,7 +1,7 @@
 dnl Checks librpcsec version
 AC_DEFUN([AC_RPCSEC_VERSION], [
 
-  PKG_CHECK_MODULES([GSSGLUE], [libgssglue >= 0.1])
+  PKG_CHECK_MODULES([GSSGLUE], [libgssglue >= 0.3])
 
   dnl TI-RPC replaces librpcsecgss
   if test "$enable_tirpc" = no; then
diff -up nfs-utils-1.2.4/configure.ac.orig nfs-utils-1.2.4/configure.ac
--- nfs-utils-1.2.4/configure.ac.orig	2011-07-21 14:30:42.702030000 -0400
+++ nfs-utils-1.2.4/configure.ac	2011-07-21 14:30:55.581408000 -0400
@@ -264,9 +264,6 @@ if test "$enable_nfsv4" = yes; then
   dnl check for nfsidmap libraries and headers
   AC_LIBNFSIDMAP
 
-  dnl enable nfsidmap when its support by libnfsidmap
-  AM_CONDITIONAL(CONFIG_NFSIDMAP, [test "$enable_nfsidmap" = "yes"])
-
   dnl check for the keyutils libraries and headers
   AC_KEYUTILS
 
@@ -276,6 +273,9 @@ if test "$enable_nfsv4" = yes; then
     AC_RPCSEC_VERSION
   fi
 fi
+dnl enable nfsidmap when its support by libnfsidmap
+AM_CONDITIONAL(CONFIG_NFSIDMAP, [test "$enable_nfsidmap" = "yes"])
+
 
 if test "$knfsd_cv_glibc2" = no; then
     AC_CHECK_LIB(bsd, daemon, [LIBBSD="-lbsd"])
diff -up nfs-utils-1.2.4/support/nfs/exports.c.orig nfs-utils-1.2.4/support/nfs/exports.c
--- nfs-utils-1.2.4/support/nfs/exports.c.orig	2011-07-21 14:30:42.731028000 -0400
+++ nfs-utils-1.2.4/support/nfs/exports.c	2011-07-21 14:30:55.588408000 -0400
@@ -784,8 +784,9 @@ struct export_features *get_export_featu
 	fd = open(path, O_RDONLY);
 	if (fd == -1)
 		goto good;
-	fd = read(fd, buf, 50);
-	if (fd == -1)
+	c = read(fd, buf, 50);
+	close(fd);
+	if (c == -1)
 		goto err;
 	c = sscanf(buf, "%x %x", &ef.flags, &ef.secinfo_flags);
 	if (c != 2)
diff -up nfs-utils-1.2.4/support/nsm/file.c.orig nfs-utils-1.2.4/support/nsm/file.c
--- nfs-utils-1.2.4/support/nsm/file.c.orig	2011-07-21 14:30:42.722027000 -0400
+++ nfs-utils-1.2.4/support/nsm/file.c	2011-07-21 14:30:55.596409000 -0400
@@ -396,18 +396,18 @@ nsm_drop_privileges(const int pidfd)
 		return false;
 	}
 
-	if (st.st_uid == 0) {
-		xlog_warn("Running as root.  "
-			"chown %s to choose different user", nsm_base_dirname);
-		return true;
-	}
-
 	if (chdir(nsm_base_dirname) == -1) {
 		xlog(L_ERROR, "Failed to change working directory to %s: %m",
 				nsm_base_dirname);
 		return false;
 	}
 
+	if (st.st_uid == 0) {
+		xlog_warn("Running as root.  "
+			"chown %s to choose different user", nsm_base_dirname);
+		return true;
+	}
+
 	/*
 	 * If the pidfile happens to reside on NFS, dropping privileges
 	 * will probably cause us to lose access, even though we are
diff -up nfs-utils-1.2.4/utils/gssd/context_lucid.c.orig nfs-utils-1.2.4/utils/gssd/context_lucid.c
--- nfs-utils-1.2.4/utils/gssd/context_lucid.c.orig	2011-06-30 09:00:42.000000000 -0400
+++ nfs-utils-1.2.4/utils/gssd/context_lucid.c	2011-07-21 14:30:55.602409000 -0400
@@ -305,7 +305,7 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
 
 	maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
 	if (maj_stat != GSS_S_COMPLETE) {
-		pgsserr("gss_export_lucid_sec_context",
+		pgsserr("gss_free_lucid_sec_context",
 			maj_stat, min_stat, &krb5oid);
 		printerr(0, "WARN: failed to free lucid sec context\n");
 	}
diff -up nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c.orig nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c
--- nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c.orig	2011-06-30 09:00:42.000000000 -0400
+++ nfs-utils-1.2.4/utils/gssd/svcgssd_krb5.c	2011-07-21 14:30:55.609410000 -0400
@@ -45,6 +45,7 @@
 #include "gss_oids.h"
 #include "err_util.h"
 #include "svcgssd_krb5.h"
+#include "../mount/version.h"
 
 #define MYBUFLEN 1024
 
@@ -169,22 +170,44 @@ svcgssd_limit_krb5_enctypes(void)
 {
 #ifdef HAVE_SET_ALLOWABLE_ENCTYPES
 	u_int maj_stat, min_stat;
-	krb5_enctype default_enctypes[] = { ENCTYPE_DES_CBC_CRC,
-					    ENCTYPE_DES_CBC_MD5,
-					    ENCTYPE_DES_CBC_MD4 };
-	int default_num_enctypes =
-		sizeof(default_enctypes) / sizeof(default_enctypes[0]);
-	krb5_enctype *enctypes;
-	int num_enctypes;
+	krb5_enctype old_kernel_enctypes[] = {
+		ENCTYPE_DES_CBC_CRC,
+		ENCTYPE_DES_CBC_MD5,
+		ENCTYPE_DES_CBC_MD4 };
+	krb5_enctype new_kernel_enctypes[] = {
+		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+		ENCTYPE_DES3_CBC_SHA1,
+		ENCTYPE_ARCFOUR_HMAC,
+		ENCTYPE_DES_CBC_CRC,
+		ENCTYPE_DES_CBC_MD5,
+		ENCTYPE_DES_CBC_MD4 };
+	krb5_enctype *default_enctypes, *enctypes;
+	int default_num_enctypes, num_enctypes;
+
+
+	if (linux_version_code() < MAKE_VERSION(2, 6, 35)) {
+		default_enctypes = old_kernel_enctypes;
+		default_num_enctypes =
+			sizeof(old_kernel_enctypes) / sizeof(old_kernel_enctypes[0]);
+	} else {
+		default_enctypes = new_kernel_enctypes;
+		default_num_enctypes =
+			sizeof(new_kernel_enctypes) / sizeof(new_kernel_enctypes[0]);
+	}
 
 	get_kernel_supported_enctypes();
 
 	if (parsed_enctypes != NULL) {
 		enctypes = parsed_enctypes;
 		num_enctypes = parsed_num_enctypes;
+		printerr(2, "%s: Calling gss_set_allowable_enctypes with %d "
+			"enctypes from the kernel\n", __func__, num_enctypes);
 	} else {
 		enctypes = default_enctypes;
 		num_enctypes = default_num_enctypes;
+		printerr(2, "%s: Calling gss_set_allowable_enctypes with %d "
+			"enctypes from defaults\n", __func__, num_enctypes);
 	}
 
 	maj_stat = gss_set_allowable_enctypes(&min_stat, gssd_creds,
diff -up nfs-utils-1.2.4/utils/mount/version.h.orig nfs-utils-1.2.4/utils/mount/version.h
--- nfs-utils-1.2.4/utils/mount/version.h.orig	2011-06-30 09:00:42.000000000 -0400
+++ nfs-utils-1.2.4/utils/mount/version.h	2011-07-21 14:30:55.614413000 -0400
@@ -23,8 +23,8 @@
 #ifndef _NFS_UTILS_MOUNT_VERSION_H
 #define _NFS_UTILS_MOUNT_VERSION_H
 
-#include <stdlib.h>
-#include <string.h>
+#include <stdio.h>
+#include <limits.h>
 
 #include <sys/utsname.h>
 
@@ -37,14 +37,16 @@ static inline unsigned int MAKE_VERSION(
 static inline unsigned int linux_version_code(void)
 {
 	struct utsname my_utsname;
-	unsigned int p, q, r;
+	unsigned int p, q = 0, r = 0;
 
+	/* UINT_MAX as backward compatibility code should not be run */
 	if (uname(&my_utsname))
-		return 0;
+		return UINT_MAX;
 
-	p = (unsigned int)atoi(strtok(my_utsname.release, "."));
-	q = (unsigned int)atoi(strtok(NULL, "."));
-	r = (unsigned int)atoi(strtok(NULL, "."));
+	/* UINT_MAX as future versions might not start with an integer */
+	if (sscanf(my_utsname.release, "%u.%u.%u", &p, &q, &r) < 1)
+		return UINT_MAX;
+	
 	return MAKE_VERSION(p, q, r);
 }
 
diff -up nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man.orig nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man
--- nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man.orig	2011-06-30 09:00:42.000000000 -0400
+++ nfs-utils-1.2.4/utils/nfsidmap/nfsidmap.man	2011-07-21 14:30:55.620410000 -0400
@@ -25,9 +25,9 @@ will need to be modified so
 can properly direct the upcall. The following line should be added before a call
 to keyctl negate:
 .PP
-create	nfs_idmap	*	*	/usr/sbin/nfsidmap %k %d 600
+create	id_resolver	*	*	/usr/sbin/nfsidmap %k %d 600
 .PP
-This will direct all nfs_idmap requests to the program
+This will direct all id_resolver requests to the program
 .I /usr/sbin/nfsidmap
 The last parameter, 600, defines how many seconds into the future the key will
 expire.  This is an optional parameter for
@@ -48,9 +48,9 @@ You can choose to handle any of these in
 generic upcall program.  If you would like to use your own program for a uid
 lookup then you would edit your request-key.conf so it looks similar to this:
 .PP
-create	nfs_idmap	uid:*	*	/some/other/program %k %d 600
+create	id_resolver	uid:*	*	/some/other/program %k %d 600
 .br
-create	nfs_idmap	*		*	/usr/sbin/nfsidmap %k %d 600
+create	id_resolver	*		*	/usr/sbin/nfsidmap %k %d 600
 .PP
 Notice that the new line was added above the line for the generic program.
 request-key will find the first matching line and run the corresponding program.