RHBA-2013:0068 - Bug Fix Advisory

Topic

Updated nfs-utils packages that fix multiple bugs and add one enhancement are
now available for Red Hat Enterprise Linux 5.

Description

The nfs-utils packages provide a daemon for the kernel Network File System (NFS)
server, and related tools such as mount.nfs, umount.nfs, and showmount.

This update fixes the following bugs:

• After the ownership of the state directory is set to "rpcuser:rpcuser", the

"rpc.statd" daemon drops its privileges. This led to a file access error when
"rpc.statd" tried to unlink the backup directory at a later time. With this
update, the ownership of the backup directory is set to be the same as the UID
and GID of the "/var/lib/nfs/statd" directory. As a result, the problem no
longer occurs. (BZ#782455)

• Previously, in BZ#513094, the "noresvport option", which allows NFS clients to

use insecure ports (ports above 1023), was added to the NFS server configuration
options. Due to a regression, the umount tool was not interpreting the
"resvport" and "noresvport" values correctly which in turn caused the unmount
process to fail. With this update, the code has been improved to correctly
handle the "resvport" and "noresvport" options and the umount tool now works as
expected in the scenario described. The default is for NFS mounts to use
reserved ports. (BZ#783147)

• The NFS mount daemon allows a user to disable version 2 of the NFS protocol by

changing the value of the "MOUNTD_NFS_V2" option in the "/etc/sysconfig/nfs"
configuration file to "no". This setting also disables NFS version 1 and
therefore NFS shares are mounted by the client with NFS version 3. Previously,
the code for unmounting a shared file system from a server with such a
configuration attempted to use NFS version 1 and failed with an error. This
update applies a patch that addresses this issue so that shared file systems can
now be unmounted as expected in the scenario described. (BZ#804681)

This update also adds the following enhancement:

• A timeout option, "-t, --timeout", has been added to the client side

"rpc.gssd" daemon so that the administrator of an NFS client can specify a
timeout period for expiry of the Kerberos GSS (General Security Services) share
context cache in the kernel. After the timeout interval, "rpc.gssd" is consulted
to create a new context. By default, the timeout value is "0", that is to say no
timeout at all. This follows the previous behavior where the expiry of kernel
GSS contexts is the same as the expiry of the Kerberos ticket used in its
creation. (BZ#507341)

All users of nfs-utils are advised to upgrade to these updated packages, which
fix these bugs and add this enhancement.

Solution

Before applying this update, make sure all previously-released errata relevant
to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 507341 - svcgssd: Add time out argument
• BZ - 782455 - rpc.statd does not chown the sm.bak dir before dropping privs
• BZ - 783147 - Cannot unmount nfsv3 mounts
• BZ - 804681 - Cannot unmount NFS share if Mount version 2 is disabled.

CVEs

(none)

References

(none)