1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
From d1936056d77abcfda14386235a88ed553341a429 Mon Sep 17 00:00:00 2001
From: Mohammed Rafi KC <rkavunga@redhat.com>
Date: Mon, 26 Mar 2018 20:27:34 +0530
Subject: [PATCH 1/3] shared storage: Prevent mounting shared storage from
non-trusted client
gluster shared storage is a volume used for internal storage for
various features including ganesha, geo-rep, snapshot.
So this volume should not be exposed to the client, as it is
a special volume for internal use.
This fix wont't generate non trusted volfile for shared storage volume.
Change-Id: I8ffe30ae99ec05196d75466210b84db311611a4c
fixes: bz#1568844
BUG: 1568844
Signed-off-by: Mohammed Rafi KC <rkavunga@redhat.com>
Upstream-Status: Backport
Fix CVE-2018-1088
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
xlators/mgmt/glusterd/src/glusterd-volgen.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c
index 0a0668e..308c41f 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volgen.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c
@@ -5721,6 +5721,7 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
int i = 0;
int ret = -1;
char filepath[PATH_MAX] = {0,};
+ char *volname = NULL;
char *types[] = {NULL, NULL, NULL};
dict_t *dict = NULL;
xlator_t *this = NULL;
@@ -5728,6 +5729,26 @@ generate_client_volfiles (glusterd_volinfo_t *volinfo,
this = THIS;
+ volname = volinfo->is_snap_volume ?
+ volinfo->parent_volname : volinfo->volname;
+
+
+ if (volname && !strcmp (volname, GLUSTER_SHARED_STORAGE) &&
+ client_type != GF_CLIENT_TRUSTED) {
+ /*
+ * shared storage volume cannot be mounted from non trusted
+ * nodes. So we are not creating volfiles for non-trusted
+ * clients for shared volumes as well as snapshot of shared
+ * volumes.
+ */
+
+ ret = 0;
+ gf_msg_debug ("glusterd", 0, "Skipping the non-trusted volfile"
+ "creation for shared storage volume. Volume %s",
+ volname);
+ goto out;
+ }
+
enumerate_transport_reqs (volinfo->transport_type, types);
dict = dict_new ();
if (!dict)
--
2.7.4
|