[MIR] nfs-ganesha, ntirpc

Bug #1843403 reported by Chris MacNaughton
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nfs-ganesha (Ubuntu)
High
Unassigned
ntirpc (Ubuntu)
High
Unassigned

Bug Description

== nfs-ganesha ==

[Availability]
In universe

[Rationale]
Ganesha provides the NFS header/proxy for use of CephFS shared file systems as part of OpenStack Manila

[Security]
No security history:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=nfs-ganesha

[Quality assurance]
Test suite currently disabled in package build.
No autopkgtest's.

[Dependencies]
daemon in universe - any alternatives?

[Standards compliance]
OK - modern debhelper style package (compat level 9).

[Maintenance]
maintained in Debian
ubuntu-openstack for Ubuntu

[Background information]
Specifically nfs-ganesha-ceph will be seeded for support

== ntirpc ==

[Availability]
In universe

[Rationale]
Dependency for nfs-ganesha

[Security]
One CVE, much older version:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ntirpc

[Quality assurance]
Test suite currently disabled in package build.
No autopkgtest's.

[Dependencies]
all in main or detailed on this MIR

[Standards compliance]
OK - modern debhelper style package (compat level 9).

[Maintenance]
maintained in Debian
ubuntu-openstack for Ubuntu

James Page (james-page)
Changed in nfs-ganesha (Ubuntu):
milestone: none → later
description: updated
description: updated
description: updated
description: updated
Revision history for this message
James Page (james-page) wrote :

TODO for MIR request:

Migrate package to py3 only.
Enable testing as part of package build process.
Review dependency on daemon for alternatives or include in MIR request.

description: updated
description: updated
description: updated
description: updated
description: updated
description: updated
Revision history for this message
James Page (james-page) wrote :

ubuntu-mir - note that this is work for 20.04 (not 19.10) and requires from pre-work first (see #1).

Revision history for this message
Colin Watson (cjwatson) wrote :

FWIW, we're also going to be using nfs-ganesha shortly in the redeployment of git.launchpad.net (though currently with the VFS backend rather than CephFS; I expect we might want to use CephFS eventually but our infrastructure isn't ready for that yet).

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi James and Chris,
I wanted to make sure everyone agrees on the ordering of actions on this - do you:
a) intent to implement the known tasks (see comment #1) first and expect a MIR review then?
or
b) do you want a MIR review now to identify if there are any further tasks that need to be resolved?

For (a) we would want to set it to incomplete now until the known todos are done.

For (b) maybe speak up in the next MIR-Team meeting so that one is assigned for review (or assign yourself if you will do it).

Revision history for this message
James Page (james-page) wrote :

a) please - we'll work the initial items early next cycle and put forward for review then.

Changed in nfs-ganesha (Ubuntu):
status: New → Incomplete
James Page (james-page)
Changed in nfs-ganesha (Ubuntu):
status: Incomplete → New
milestone: later → ubuntu-20.04
status: New → Incomplete
James Page (james-page)
description: updated
Revision history for this message
James Page (james-page) wrote :

nfs-ganesha:

Dependency on daemon can be dropped (preparing upload)
Python packaging has already been dropped by Debian maintainer until Py3 compat arrives
Test suite reviewed however is functional in nature so can't be used during the package build - autopkgtest might be an option but alot of the tests are around latency/performance rather than function so might be brittle.

description: updated
description: updated
Revision history for this message
James Page (james-page) wrote :

Also I'm working on bumping the versions of both of these packages to something a bit more recent for sup-portability going forward.

Revision history for this message
James Page (james-page) wrote :

Uploads to focal for nfs-ganesha (3.0.2) and ntirpc (3.0) to bring things up-to-date and re-enable the python module for py3 (disabled in Debian).

Changed in nfs-ganesha (Ubuntu):
status: Incomplete → New
Revision history for this message
James Page (james-page) wrote :

MIR ready for mir-team review

Changed in nfs-ganesha (Ubuntu):
importance: Undecided → High
Changed in ntirpc (Ubuntu):
importance: Undecided → High
James Page (james-page)
Changed in ntirpc (Ubuntu):
milestone: none → ubuntu-20.04
summary: - [MIR] nfs-ganesha
+ [MIR] nfs-ganesha, ntirpc
Changed in nfs-ganesha (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (4.2 KiB)

[Summary]
MIR team ack from a packaging POV
But there are a bunch of TODOs for the Openstack Team that could improve the
package before being promoted while it is in the security review queue.

@Security - this needs a review for sure, assigning you

@Openstack
- you are not yet subscribed to the packages, that has to be done before
  promotion
- as you reported tests are not run at build or autopkgtest time
  - there is src/test and gtest maybe any of them can be made to work
  - could you spend a bit of time trying to enable those and only leave them
    disabled if it is really hard?
  - if above doesn't work since you do that for openstack, could you add it to
    the regular openstack tests that you do?
    That would be outside of the package but at least be some regular re-check.
- could you please check if
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889654
  is fixed on the new version?
- since upstream looks rather bad [1]
  - have you experimentally verified that the usage for ceph not only works
    but also survives e.g. some stress testing?
    Everyone would hate to realize late that this is worse than one thought.
    E.g. these are ceph (but fortunately on too old versions):
    https://github.com/nfs-ganesha/nfs-ganesha/issues/433
    https://github.com/nfs-ganesha/nfs-ganesha/issues/388
    Maybe go through the bugs in this report and verify if any of them is
    a problem for the intended setup in that will be in main
- Even if you only seed the ceph package the source will get into main
  And auto-includes will add -doc , -dbg and -dev packages
  This has a -doc and I'd recommend to add an extra-exclude for the -doc
  package to not pull that and dependencies then.
  You can add that right now already.

[1]: https://github.com/nfs-ganesha/nfs-ganesha/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+crash

[Duplication]
Well, we have NFS kernel server but the intended use case here is to couple
this with different backends - primarily ceph at the moment.
I see no duplication in the archive that would do that.

[Embedded sources and static linking]
- no embedded source present
- no static linking

[Security]
- no history of CVEs
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

But it has quite some security sensitive elements:
- does not run a daemon as root
- does not parse data formats
- does not open a port
- access to all data passed in between

[Common blockers]
- does not FTBFS currently
- no translation present, but none needed for this case (not really user visible)
- no python2

- It has deficiencies at self-tests on build/autopkgtest time.
- atm lacks a bug subscriber

[Packaging red flags]
- Ubuntu does carry a delta, but that is to get issues fixed
  Thanks for v3.0 and the fixups
  Have you tried to bring that to Debian to reduce the maintenance
  effort long time?
- symbols tracking not applicable for this code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update...

Read more...

Changed in nfs-ganesha (Ubuntu):
assignee: Christian Ehrhardt  (paelzer) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

P.S. for nfs-ganesha:
There is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862979
If that is enabled will that bring further problem/dependencies/benefits?
This could be from "oh yes we should enable" to "holy crap we have to prevent this is enabled".
Hence I'm asking you who want to bring it into main and have the use cases in mind.

Changed in ntirpc (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

James already outlined in comment #6 why the tests won't work well at build time or even in autopkgtests. That is sad, but ok. If you think you can make a subset work please feel encouraged to do so.

Revision history for this message
James Page (james-page) wrote :

Bug subscriptions added

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (6.6 KiB)

[Summary]
- After some longer checks it seems fine from a MIR/Packaging POV,
  but will need a security review as well.
  => MIR Team ack
- Assigning security

There are a few todos left open thou, nothing that would block the security
review:

@Openstack Team:
- it seems you need to maintain these on your own
  - have you contributed the 3.x versions to Debian?
  - nfs-ganesha is the only rev-dep so it might really be on you alone
  - if no one there steps up are you ok to self-maintain those as needed?
- you are not yet subscribed to the package this is a requirement before
  promoting it
- there seem to be very little self-tests but maybe those could be enabled
  on build (rpcping / citytest)?
- Probably an artifact of the new version, but symbols need to be updated
  - also shlibs fails should be made fatal IMHO

[Duplication]
With no other dependency than nfs-ganesha* it seems that this isn't a full
lib widely used yet.
It seemed more like a sibling or broken out of ganesha itself itself, but then
I found it has a changelog back to 2004 so it seems separate.
A bit of research later I realized this is in fact very old.

Orig: libtirpc => https://sourceforge.net/projects/libtirpc/
Fork: libntirpc => https://github.com/linuxbox2/ntirpc
Ganesha-special: libntirpc => https://github.com/nfs-ganesha/ntirpc

The main committer of the latter two seems to be the same person.
=> https://github.com/dang
So the middle one might be dead?

The problem here is that the "classic" tirpc is in main since forever (at
least precise, maybe even further).
It doesn't have many releases beign at v2.5 for years now.

But in terms of code-duplicity for things in main that is a problem.

The old lib still has plenty of dependencies so we can't just switch one for
the other.

$ reverse-depends -r focal src:libtirpc
Reverse-Depends
===============
* autofs (for libtirpc3)
* glusterfs-common (for libtirpc3)
* glusterfs-server (for libtirpc3)
* libassa-3.5-5-dev (for libtirpc-dev)
* libgfapi0 (for libtirpc3)
* libgfchangelog0 (for libtirpc3)
* libgfrpc0 (for libtirpc3)
* libgfxdr0 (for libtirpc3)
* libnis1 (for libtirpc3)
* nfs-common (for libtirpc3)
* nfs-kernel-server (for libtirpc3)
* quota (for libtirpc3)
* rpcbind (for libtirpc3)
* yp-tools (for libtirpc3)

Usually on such cases security isn't keen on maintaining both nor is Ubuntu
in general. I mean it even seems that nfs* packages use the classic tiprc lib.

I haven't tracked all the history and difference that has accrued between
those projects. But It seems that the differences might make maintaining
both valid. Without having everyone consider moving all the other projects
to the new lib or to find out why that isn't a good move either.

  Changes introduced in the ntirpc library include:
   * Bi-directional operation.
   * Full-duplex operation on the TCP (vc) transport.
   * Thread-safe operating modes:
     * new locking primitives and lock callouts (inter...

Read more...

Changed in ntirpc (Ubuntu):
assignee: Christian Ehrhardt  (paelzer) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
James Page (james-page) wrote : Re: [Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc

On Mon, Dec 16, 2019 at 10:01 AM Christian Ehrhardt  <
<email address hidden>> wrote:

> @Openstack Team:
> - it seems you need to maintain these on your own
> - have you contributed the 3.x versions to Debian?
>

I'm in contact with the Debian maintainer and will be submitting patches
back for the version upgrade.

He's short on time right now so may take a while.

> - nfs-ganesha is the only rev-dep so it might really be on you alone
>

Ack.

> - if no one there steps up are you ok to self-maintain those as needed?
>

Yep

> - you are not yet subscribed to the package this is a requirement before
> promoting it
>

Done

> - there seem to be very little self-tests but maybe those could be enabled
> on build (rpcping / citytest)?
>

Agreed - will take a look

> - Probably an artifact of the new version, but symbols need to be updated
> - also shlibs fails should be made fatal IMHO
>

I left those in by mistake whilst trying to enable the LTTNG support in
this package - will tidy.

Revision history for this message
James Page (james-page) wrote :

ntirpc 3.0-0ubuntu2 includes:

Drop of LTTNG related symbols
Enable rpcping based tests during package build

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

On Mon, Dec 16, 2019 at 12:26 PM James Page <email address hidden> wrote:

> ntirpc 3.0-0ubuntu2 includes:
>
> Drop of LTTNG related symbols
> Enable rpcping based tests during package build
>

Perfect, thank you for these and the bug subscriptions!
Next: Waiting on security

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

I reviewed nfs-ganesha 3.0.3-0ubuntu1 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

nfs-ganesha is an user-mode file server for NFS v3, 4.0, 4.1, 4.1 pNFS, and
4.2; and for 9P from the Plan9 operating system. It provides a FUSE-compatible
File System Abstraction Layer(FSAL) to allow the file-system developers to
plug in their own storage mechanism and access it from any NFS client.

- No CVE History found.
- It has Build-Depends for some libraries. Most relevant one is kerberos
  that provides integrity (krb5i) or integrity and encryption (krb5p).
- There aren't pre/post inst/rm scripts.
- It has three systemd units:
  - nfs-ganesha-config.service: For configuration
  - nfs-ganesha.service: The main service
  - nfs-ganesha-lock.service: File locking (the main service needs it)
- It has a dbus service called org.ganesha.nfsd and the following interfaces:
  - org.freedesktop.DBus.Introspectable: returns an xml data string that
    describes all of the other interfaces and their methods for the
    particular object path. Every object path in NFS Ganesha's server provides
    this interface.
  - org.freedesktop.DBus.Properties: This interface is for setting and
    retrieving key/value pairs of properties. NFS Ganesha currently does not
    supply this interface yet.
  - org.ganesha.nfsd.admin: Used to administer the server itself.
  - org.ganesha.nfsd.CBSIM: Only for development. It's a callback simulator.
- No setuid binaries found.
- Relevant binaries:
  - usr/bin/ganesha.nfsd
  - usr/lib/x86_64-linux-gnu/libganesha_nfsd.so.3.0
- No sudo fragments found.
- No udev rules found.
- It has ad-hoc tests (src/test) and Google G-Test framework tests (src/gtest).
  - The tests seems basic. There are more realistic tests using network that
    can be done by using extra tools.
- No cron job found.
- Build logs:
  - There are some warnings during the build. Nothing relevant found.
  - Lintian failed because of "shlib-in-multi-arch-foreign-package" which means:
    "The package is marked as Multi-Arch: foreign, but it includes a shared
    library in a public library directory."
- Memory management seems ok.
- File IO is intensive depending on the usage. Nothing to worry was found by
  looking the code and coverity results.
- Logging seems safe.
- Use privileged functions not found.
- There is a use of cryptography when used with kerberos.
- Temporary file handling uses mkstemp but it seems safe.
- Use of networking seems fine. Addresses and inputs are sanitized before
  the use.
- No use of WebKit or PolicyKit found.

- All errors found in cppcheck are "Uninitialized variable" ones. Nothing to
  worry.

- Coverity found use-after-free, out-of-bound accesses and other issues. The
  issues were analysed and they were not considered showstoppers to get the
  project in main.

Security team ACK for promoting nfs-ganesha to main. Still pending ntirpc
analysis.

Revision history for this message
Alex Murray (alexmurray) wrote :
Download full text (3.4 KiB)

I reviewed ntirpc 3.0-0ubuntu2 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

ntirpc is a fork of the existing libtirpc library providing RPC services
for nfs-ganesha and others.

- CVE History:
  - Only 1 past CVEs against ntirpc
    - CVE-2017-8779 - was fixed reasonably quickly
  - This shares a lot of code with libtirpc which has had 5 CVEs (including
    CVE-2017-8779) so I checked these against ntirpc:
    - CVE-2013-1950 - ntirpc *might* be vulnerable to this - this needs
      more thorough code review
    - CVE-2018-14621 - ntirpc is not vulnerable
    - CVE-2018-14622 - ntirpc is not vulnerable
    - CVE-2016-4429 - ntirpc appears to also be vulnerable to this - I have
      marked this as such in our CVE tracker
  - I have updated our CVE tracker so that all CVEs triaged against
    libtirpc will also get triaged against ntirpc due to the amount of
    similar code between the two so that future CVEs don't get missed
- No significant Build-Depends
  - cmake,libkrb5-dev, libjemalloc-dev, liburcu-dev
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- No autopkgtests
- Very simple tests run during build (tests/rpcping)
  - This exercises the high-level interfaces of the library
- No cron jobs
- Build logs are clean

- No Processes spawned
- Memory management appears to be careful and deliberate
- Minimal file IO using hard-coded file paths to root-owned files
- Logging is careful
- The only environment variable used is NETPATH and this appears to be done
  carefully
- No use of privileged functions
- No use of cryptography / random number sources etc
- No use of temp files
- Network handling appears to be pretty good
  - Takes care to track buffer sizes and carefully decodes remote data
- No use of WebKit
- No Use of PolicyKit

- Significant static analysis results
  - cppcheck identifies a possible NULL pointer dereference in the City
    hash code:
    - src/city.c:412:30: note: Calling function 'CityHash128WithSeed', 1st argument 'NULL' value is 0
    - src/city.c:339:46: note: Calling function 'Fetch64', 1st argument 's' value is 0
    - src/city.c:91:9: note: Calling function 'UNALIGNED_LOAD64', 1st argument 'p' value is 0
    - src/city.c:43:18: note: Null pointer dereference
    - (ie due to the call to CityHash128WithSeed(NULL,...) this could
      result in an eventual call to memcpy with that NULL as the src
      argument)
  - coverity identifies a number of issues around handling of locks - some
    of these appear to be false positives but others could potentially be
    real issues - see attached for the full list of defects.

In general, ntirpc appears to be well maintained and does not appear to
have any obvious security issues. Other than the fact that this duplicates
a lot of code from libtirpc, no object from the Security Team for promoting
this to main - we have updated our CVE tracker so that any future CVEs
against libtirpc will get automatically assigned to ntirpc as well so that
we do not miss any other possible fut...

Read more...

Changed in nfs-ganesha (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Alex Murray (alexmurray) wrote :
Changed in ntirpc (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This seems ready for promotion, MIR and security ack present.

Changed in nfs-ganesha (Ubuntu):
status: New → In Progress
status: In Progress → Fix Committed
Changed in ntirpc (Ubuntu):
status: New → Fix Committed
Revision history for this message
Matthias Klose (doko) wrote :
Download full text (6.2 KiB)

Override component to main
nfs-ganesha 3.0.3-0ubuntu2 in focal: universe/misc -> main
nfs-ganesha 3.0.3-0ubuntu2 in focal amd64: universe/net/optional/100% -> main
nfs-ganesha 3.0.3-0ubuntu2 in focal arm64: universe/net/optional/100% -> main
nfs-ganesha 3.0.3-0ubuntu2 in focal armhf: universe/net/optional/100% -> main
nfs-ganesha 3.0.3-0ubuntu2 in focal ppc64el: universe/net/optional/100% -> main
nfs-ganesha 3.0.3-0ubuntu2 in focal s390x: universe/net/optional/100% -> main
nfs-ganesha-ceph 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main
nfs-ganesha-ceph 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main
nfs-ganesha-ceph 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main
nfs-ganesha-ceph 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main
nfs-ganesha-ceph 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main
nfs-ganesha-doc 3.0.3-0ubuntu2 in focal amd64: universe/doc/optional/100% -> main
nfs-ganesha-doc 3.0.3-0ubuntu2 in focal arm64: universe/doc/optional/100% -> main
nfs-ganesha-doc 3.0.3-0ubuntu2 in focal armhf: universe/doc/optional/100% -> main
nfs-ganesha-doc 3.0.3-0ubuntu2 in focal i386: universe/doc/optional/100% -> main
nfs-ganesha-doc 3.0.3-0ubuntu2 in focal ppc64el: universe/doc/optional/100% -> main
nfs-ganesha-doc 3.0.3-0ubuntu2 in focal s390x: universe/doc/optional/100% -> main
nfs-ganesha-gluster 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main
nfs-ganesha-gluster 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main
nfs-ganesha-gluster 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main
nfs-ganesha-gluster 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main
nfs-ganesha-gluster 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main
nfs-ganesha-gpfs 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main
nfs-ganesha-gpfs 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main
nfs-ganesha-gpfs 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main
nfs-ganesha-gpfs 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main
nfs-ganesha-gpfs 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main
nfs-ganesha-mem 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main
nfs-ganesha-mem 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main
nfs-ganesha-mem 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main
nfs-ganesha-mem 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main
nfs-ganesha-mem 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main
nfs-ganesha-mount-9p 3.0.3-0ubuntu2 in focal amd64: universe/libs/optional/100% -> main
nfs-ganesha-mount-9p 3.0.3-0ubuntu2 in focal arm64: universe/libs/optional/100% -> main
nfs-ganesha-mount-9p 3.0.3-0ubuntu2 in focal armhf: universe/libs/optional/100% -> main
nfs-ganesha-mount-9p 3.0.3-0ubuntu2 in focal ppc64el: universe/libs/optional/100% -> main
nfs-ganesha-mount-9p 3.0.3-0ubuntu2 in focal s390x: universe/libs/optional/100% -> main
nfs-ganesha-nullfs 3.0.3-0ubuntu2 in focal amd64: u...

Read more...

Changed in ntirpc (Ubuntu):
status: Fix Committed → Fix Released
Changed in nfs-ganesha (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.