Hello community,
here is the log from the commit of package aws-efs-utils for openSUSE:Factory checked in at 2019-04-11 08:47:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/aws-efs-utils (Old)
and /work/SRC/openSUSE:Factory/.aws-efs-utils.new.27019 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "aws-efs-utils"
Thu Apr 11 08:47:58 2019 rev:3 rq:692718 version:1.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/aws-efs-utils/aws-efs-utils.changes 2019-04-04 12:08:06.897400144 +0200
+++ /work/SRC/openSUSE:Factory/.aws-efs-utils.new.27019/aws-efs-utils.changes 2019-04-11 08:48:00.800542966 +0200
@@ -1,0 +2,18 @@
+Tue Apr 9 22:29:17 UTC 2019 - John Paul Adrian Glaubitz
+
+- Update to version 1.7
+ + subprocess usage: explicitly pass `close_fds = True`
+ + state_file_dir: choose safe default mode, make mode configurable
+ + choose_tls_port(): reuse socket and explicitly close it in all cases
+ + watchdog: be robust against unrelated localhost based nfs mounts
+- Drop hardening patches merged upstream
+ + 0001-subprocess-usage-explicitly-pass-close_fds-True.patch
+ + 0002-state_file_dir-choose-safe-default-mode-make-mode-co.patch
+ + 0003-pytest-adjust-tests-to-new-state_file_dir_mode-confi.patch
+ + 0004-choose_tls_port-reuse-socket-and-explicitly-close-it.patch
+ + 0005-watchdog-be-robust-against-unrelated-localhost-based.patch
+- from version 1.6
+ + fix for additional unexpected arguments
+ + add test for additional unexpected arguments
+
+-------------------------------------------------------------------
Old:
----
0001-subprocess-usage-explicitly-pass-close_fds-True.patch
0002-state_file_dir-choose-safe-default-mode-make-mode-co.patch
0003-pytest-adjust-tests-to-new-state_file_dir_mode-confi.patch
0004-choose_tls_port-reuse-socket-and-explicitly-close-it.patch
0005-watchdog-be-robust-against-unrelated-localhost-based.patch
v1.5.tar.gz
New:
----
v1.7.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ aws-efs-utils.spec ++++++
--- /var/tmp/diff_new_pack.3arsdj/_old 2019-04-11 08:48:01.600543791 +0200
+++ /var/tmp/diff_new_pack.3arsdj/_new 2019-04-11 08:48:01.600543791 +0200
@@ -17,7 +17,7 @@
Name: aws-efs-utils
-Version: 1.5
+Version: 1.7
Release: 0
Summary: Utilities for using the EFS file systems
License: MIT
@@ -25,12 +25,6 @@
Url: https://github.com/aws/efs-utils
Source0: https://github.com/aws/efs-utils/archive/v%{version}.tar.gz
Patch: efs-switchparser.patch
-# Hardening patches (see: https://github.com/aws/efs-utils/pull/26 and bsc#1125133)
-Patch1: 0001-subprocess-usage-explicitly-pass-close_fds-True.patch
-Patch2: 0002-state_file_dir-choose-safe-default-mode-make-mode-co.patch
-Patch3: 0003-pytest-adjust-tests-to-new-state_file_dir_mode-confi.patch
-Patch4: 0004-choose_tls_port-reuse-socket-and-explicitly-close-it.patch
-Patch5: 0005-watchdog-be-robust-against-unrelated-localhost-based.patch
BuildRequires: systemd
BuildRequires: systemd-rpm-macros
Requires: nfs-utils
@@ -44,12 +38,7 @@
%prep
%setup -n efs-utils-%{version}
find . -name "*.py" -exec sed -i 's/env python/python3/' {} +
-%patch
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
+%patch -p1
%build
# No build required
++++++ efs-switchparser.patch ++++++
--- /var/tmp/diff_new_pack.3arsdj/_old 2019-04-11 08:48:01.636543828 +0200
+++ /var/tmp/diff_new_pack.3arsdj/_new 2019-04-11 08:48:01.636543828 +0200
@@ -1,6 +1,7 @@
---- src/mount_efs/__init__.py.orig
-+++ src/mount_efs/__init__.py
-@@ -44,9 +44,9 @@ from contextlib import contextmanager
+diff -Nru efs-utils-1.7.orig/src/mount_efs/__init__.py efs-utils-1.7/src/mount_efs/__init__.py
+--- efs-utils-1.7.orig/src/mount_efs/__init__.py 2019-04-09 20:27:34.000000000 +0200
++++ efs-utils-1.7/src/mount_efs/__init__.py 2019-04-09 23:59:43.477327640 +0200
+@@ -44,9 +44,9 @@
from logging.handlers import RotatingFileHandler
try:
@@ -12,7 +13,7 @@
try:
from urllib2 import urlopen, URLError
-@@ -517,7 +517,7 @@ def assert_root():
+@@ -537,7 +537,7 @@
def read_config(config_file=CONFIG_FILE):
@@ -21,9 +22,10 @@
p.read(config_file)
return p
---- src/watchdog/__init__.py.orig
-+++ src/watchdog/__init__.py
-@@ -21,9 +21,9 @@ from logging.handlers import RotatingFil
+diff -Nru efs-utils-1.7.orig/src/watchdog/__init__.py efs-utils-1.7/src/watchdog/__init__.py
+--- efs-utils-1.7.orig/src/watchdog/__init__.py 2019-04-09 20:27:34.000000000 +0200
++++ efs-utils-1.7/src/watchdog/__init__.py 2019-04-09 23:59:43.477327640 +0200
+@@ -21,9 +21,9 @@
from signal import SIGTERM
try:
@@ -33,9 +35,9 @@
- from configparser import ConfigParser
+ import configparser as cp
- VERSION = '1.5'
+ VERSION = '1.7'
-@@ -275,7 +275,7 @@ def assert_root():
+@@ -280,7 +280,7 @@
def read_config(config_file=CONFIG_FILE):
@@ -44,8 +46,9 @@
p.read(config_file)
return p
---- test/mount_efs_test/test_choose_tls_port.py.orig
-+++ test/mount_efs_test/test_choose_tls_port.py
+diff -Nru efs-utils-1.7.orig/test/mount_efs_test/test_choose_tls_port.py efs-utils-1.7/test/mount_efs_test/test_choose_tls_port.py
+--- efs-utils-1.7.orig/test/mount_efs_test/test_choose_tls_port.py 2019-04-09 20:27:34.000000000 +0200
++++ efs-utils-1.7/test/mount_efs_test/test_choose_tls_port.py 2019-04-09 23:59:43.477327640 +0200
@@ -7,9 +7,13 @@
#
@@ -61,7 +64,7 @@
import pytest
from mock import MagicMock
-@@ -19,7 +23,7 @@ DEFAULT_TLS_PORT_RANGE_HIGH = 20449
+@@ -19,7 +23,7 @@
def _get_config():
@@ -70,8 +73,9 @@
config.add_section(mount_efs.CONFIG_SECTION)
config.set(mount_efs.CONFIG_SECTION, 'port_range_lower_bound', str(DEFAULT_TLS_PORT_RANGE_LOW))
config.set(mount_efs.CONFIG_SECTION, 'port_range_upper_bound', str(DEFAULT_TLS_PORT_RANGE_HIGH))
---- test/mount_efs_test/test_write_stunnel_config_file.py.orig
-+++ test/mount_efs_test/test_write_stunnel_config_file.py
+diff -Nru efs-utils-1.7.orig/test/mount_efs_test/test_write_stunnel_config_file.py efs-utils-1.7/test/mount_efs_test/test_write_stunnel_config_file.py
+--- efs-utils-1.7.orig/test/mount_efs_test/test_write_stunnel_config_file.py 2019-04-09 20:27:34.000000000 +0200
++++ efs-utils-1.7/test/mount_efs_test/test_write_stunnel_config_file.py 2019-04-09 23:59:43.477327640 +0200
@@ -7,9 +7,13 @@
#
@@ -87,7 +91,7 @@
import pytest
FS_ID = 'fs-deadbeef'
-@@ -32,7 +36,7 @@ def _get_config(mocker, stunnel_debug_en
+@@ -32,7 +36,7 @@
if stunnel_check_cert_validity is None:
stunnel_check_cert_validity = stunnel_check_cert_validity_supported
++++++ v1.5.tar.gz -> v1.7.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/build-deb.sh new/efs-utils-1.7/build-deb.sh
--- old/efs-utils-1.5/build-deb.sh 2018-10-11 20:53:51.000000000 +0200
+++ new/efs-utils-1.7/build-deb.sh 2019-04-09 20:27:34.000000000 +0200
@@ -11,7 +11,7 @@
BASE_DIR=$(pwd)
BUILD_ROOT=${BASE_DIR}/build/debbuild
-VERSION=1.5
+VERSION=1.7
echo 'Cleaning deb build workspace'
rm -rf ${BUILD_ROOT}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/dist/amazon-efs-utils.control new/efs-utils-1.7/dist/amazon-efs-utils.control
--- old/efs-utils-1.5/dist/amazon-efs-utils.control 2018-10-11 20:53:51.000000000 +0200
+++ new/efs-utils-1.7/dist/amazon-efs-utils.control 2019-04-09 20:27:34.000000000 +0200
@@ -1,6 +1,6 @@
Package: amazon-efs-utils
Architecture: all
-Version: 1.5
+Version: 1.7
Section: utils
Depends: python|python2, nfs-common, stunnel4 (>= 4.56)
Priority: optional
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/dist/amazon-efs-utils.spec new/efs-utils-1.7/dist/amazon-efs-utils.spec
--- old/efs-utils-1.5/dist/amazon-efs-utils.spec 2018-10-11 20:53:51.000000000 +0200
+++ new/efs-utils-1.7/dist/amazon-efs-utils.spec 2019-04-09 20:27:34.000000000 +0200
@@ -20,7 +20,7 @@
%endif
Name : amazon-efs-utils
-Version : 1.5
+Version : 1.7
Release : 1%{?dist}
Summary : This package provides utilities for simplifying the use of EFS file systems
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/dist/efs-utils.conf new/efs-utils-1.7/dist/efs-utils.conf
--- old/efs-utils-1.5/dist/efs-utils.conf 2018-10-11 20:53:51.000000000 +0200
+++ new/efs-utils-1.7/dist/efs-utils.conf 2019-04-09 20:27:34.000000000 +0200
@@ -10,6 +10,8 @@
logging_level = INFO
logging_max_bytes = 1048576
logging_file_count = 10
+# mode for /var/run/efs in octal
+state_file_dir_mode = 750
[mount]
dns_name_format = {fs_id}.efs.{region}.amazonaws.com
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/src/mount_efs/__init__.py new/efs-utils-1.7/src/mount_efs/__init__.py
--- old/efs-utils-1.5/src/mount_efs/__init__.py 2018-10-11 20:53:51.000000000 +0200
+++ new/efs-utils-1.7/src/mount_efs/__init__.py 2019-04-09 20:27:34.000000000 +0200
@@ -54,7 +54,7 @@
from urllib.error import URLError
from urllib.request import urlopen
-VERSION = '1.5'
+VERSION = '1.7'
CONFIG_FILE = '/etc/amazon/efs/efs-utils.conf'
CONFIG_SECTION = 'mount'
@@ -180,8 +180,9 @@
ports_to_try = tls_ports[mid:] + tls_ports[:mid]
assert len(tls_ports) == len(ports_to_try)
+ sock = socket.socket()
+
for tls_port in ports_to_try:
- sock = socket.socket()
try:
sock.bind(('localhost', tls_port))
sock.close()
@@ -189,6 +190,8 @@
except socket.error:
continue
+ sock.close()
+
fatal_error('Failed to locate an available port in the range [%d, %d], '
'try specifying a different port range in %s'
% (lower_bound, upper_bound, CONFIG_FILE))
@@ -235,7 +238,7 @@
def get_version_specific_stunnel_options(config):
- proc = subprocess.Popen(['stunnel', '-help'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ proc = subprocess.Popen(['stunnel', '-help'], stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True)
proc.wait()
_, err = proc.communicate()
@@ -355,7 +358,7 @@
return
with open(os.devnull, 'w') as devnull:
- rc = subprocess.call(['systemctl', 'status', 'network.target'], stdout=devnull, stderr=devnull)
+ rc = subprocess.call(['systemctl', 'status', 'network.target'], stdout=devnull, stderr=devnull, close_fds=True)
if rc != 0:
fatal_error('Failed to mount %s because the network was not yet available, add "_netdev" to your mount options' % fs_id,
@@ -364,19 +367,20 @@
def start_watchdog(init_system):
if init_system == 'init':
- proc = subprocess.Popen(['/sbin/status', WATCHDOG_SERVICE], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ proc = subprocess.Popen(
+ ['/sbin/status', WATCHDOG_SERVICE], stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True)
status, _ = proc.communicate()
if 'stop' in status:
with open(os.devnull, 'w') as devnull:
- subprocess.Popen(['/sbin/start', WATCHDOG_SERVICE], stdout=devnull, stderr=devnull)
+ subprocess.Popen(['/sbin/start', WATCHDOG_SERVICE], stdout=devnull, stderr=devnull, close_fds=True)
elif 'start' in status:
logging.debug('%s is already running', WATCHDOG_SERVICE)
elif init_system == 'systemd':
- rc = subprocess.call(['systemctl', 'is-active', '--quiet', WATCHDOG_SERVICE])
+ rc = subprocess.call(['systemctl', 'is-active', '--quiet', WATCHDOG_SERVICE], close_fds=True)
if rc != 0:
with open(os.devnull, 'w') as devnull:
- subprocess.Popen(['systemctl', 'start', WATCHDOG_SERVICE], stdout=devnull, stderr=devnull)
+ subprocess.Popen(['systemctl', 'start', WATCHDOG_SERVICE], stdout=devnull, stderr=devnull, close_fds=True)
else:
logging.debug('%s is already running', WATCHDOG_SERVICE)
@@ -386,12 +390,26 @@
logging.warning(error_message)
+def create_state_file_dir(config, state_file_dir):
+ mode = 0o750
+ try:
+ mode_str = config.get(CONFIG_SECTION, 'state_file_dir_mode')
+ try:
+ mode = int(mode_str, 8)
+ except ValueError:
+ logging.warn('Bad state_file_dir_mode "%s" in config file "%s"', mode_str, CONFIG_FILE)
+ except ConfigParser.NoOptionError:
+ pass
+
+ os.makedirs(state_file_dir, mode)
+
+
@contextmanager
def bootstrap_tls(config, init_system, dns_name, fs_id, mountpoint, options, state_file_dir=STATE_FILE_DIR):
start_watchdog(init_system)
if not os.path.exists(state_file_dir):
- os.makedirs(state_file_dir)
+ create_state_file_dir(config, state_file_dir)
tls_port = choose_tls_port(config)
options['tlsport'] = tls_port
@@ -404,7 +422,8 @@
# launch the tunnel in a process group so if it has any child processes, they can be killed easily by the mount watchdog
logging.info('Starting TLS tunnel: "%s"', ' '.join(tunnel_args))
- tunnel_proc = subprocess.Popen(tunnel_args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, preexec_fn=os.setsid)
+ tunnel_proc = subprocess.Popen(
+ tunnel_args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, preexec_fn=os.setsid, close_fds=True)
logging.info('Started TLS tunnel, pid: %d', tunnel_proc.pid)
temp_tls_state_file = write_tls_tunnel_state_file(fs_id, mountpoint, tls_port, tunnel_proc.pid, tunnel_args,
@@ -458,7 +477,7 @@
logging.info('Executing: "%s"', ' '.join(command))
- proc = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ proc = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True)
out, err = proc.communicate()
if proc.returncode == 0:
@@ -499,8 +518,9 @@
fsname = args[1]
if len(args) > 2:
mountpoint = args[2]
- if len(args) > 4 and args[3] == '-o':
- options = parse_options(args[4])
+ if len(args) > 4 and '-o' in args[:-1]:
+ options_index = args.index('-o') + 1
+ options = parse_options(args[options_index])
if not fsname or not mountpoint:
usage(out=sys.stderr)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/src/watchdog/__init__.py new/efs-utils-1.7/src/watchdog/__init__.py
--- old/efs-utils-1.5/src/watchdog/__init__.py 2018-10-11 20:53:51.000000000 +0200
+++ new/efs-utils-1.7/src/watchdog/__init__.py 2019-04-09 20:27:34.000000000 +0200
@@ -25,7 +25,7 @@
except ImportError:
from configparser import ConfigParser
-VERSION = '1.5'
+VERSION = '1.7'
CONFIG_FILE = '/etc/amazon/efs/efs-utils.conf'
CONFIG_SECTION = 'mount-watchdog'
@@ -95,6 +95,9 @@
mountpoint = mountpoint[1:]
opts = parse_options(mount.options)
+ if 'port' not in opts:
+ # some other localhost nfs mount not running over stunnel
+ return None
return mountpoint + '.' + opts['port']
@@ -113,7 +116,9 @@
mount_dict = {}
for m in mounts:
- mount_dict[get_file_safe_mountpoint(m)] = m
+ safe_mnt = get_file_safe_mountpoint(m)
+ if safe_mnt:
+ mount_dict[safe_mnt] = m
return mount_dict
@@ -150,7 +155,7 @@
def start_tls_tunnel(child_procs, state_file, command):
# launch the tunnel in a process group so if it has any child processes, they can be killed easily
logging.info('Starting TLS tunnel: "%s"', ' '.join(command))
- tunnel = subprocess.Popen(command, preexec_fn=os.setsid)
+ tunnel = subprocess.Popen(command, preexec_fn=os.setsid, close_fds=True)
if not is_pid_running(tunnel.pid):
fatal_error('Failed to initialize TLS tunnel for %s' % state_file, 'Failed to start TLS tunnel.')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/test/mount_efs_test/test_bootstrap_tls.py new/efs-utils-1.7/test/mount_efs_test/test_bootstrap_tls.py
--- old/efs-utils-1.5/test/mount_efs_test/test_bootstrap_tls.py 2018-10-11 20:53:51.000000000 +0200
+++ new/efs-utils-1.7/test/mount_efs_test/test_bootstrap_tls.py 2019-04-09 20:27:34.000000000 +0200
@@ -66,6 +66,14 @@
mocker.patch('os.kill')
state_file_dir = str(tmpdir.join(tempfile.mktemp()))
+ def config_get_side_effect(section, field):
+ if section == mount_efs.CONFIG_SECTION and field == 'state_file_dir_mode':
+ return '0755'
+ else:
+ raise ValueError('Unexpected arguments')
+
+ MOCK_CONFIG.get.side_effect = config_get_side_effect
+
assert not os.path.exists(state_file_dir)
with mount_efs.bootstrap_tls(MOCK_CONFIG, INIT_SYSTEM, DNS_NAME, FS_ID, MOUNT_POINT, {}, state_file_dir):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.5/test/mount_efs_test/test_parse_arguments.py new/efs-utils-1.7/test/mount_efs_test/test_parse_arguments.py
--- old/efs-utils-1.5/test/mount_efs_test/test_parse_arguments.py 2018-10-11 20:53:51.000000000 +0200
+++ new/efs-utils-1.7/test/mount_efs_test/test_parse_arguments.py 2019-04-09 20:27:34.000000000 +0200
@@ -77,6 +77,16 @@
assert {} == options
+def test_parse_arguments_verbose():
+ fsid, path, mountpoint, options = mount_efs.parse_arguments(None,
+ ['mount', 'fs-deadbeef:/home', '/dir', '-v', '-o', 'foo,bar=baz,quux'])
+
+ assert 'fs-deadbeef' == fsid
+ assert '/home' == path
+ assert '/dir' == mountpoint
+ assert {'foo': None, 'bar': 'baz', 'quux': None} == options
+
+
def test_parse_arguments():
fsid, path, mountpoint, options = mount_efs.parse_arguments(None,
['mount', 'fs-deadbeef:/home', '/dir', '-o', 'foo,bar=baz,quux'])