Hello community, here is the log from the commit of package autofs.3591 for openSUSE:13.1:Update checked in at 2015-03-11 13:05:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/autofs.3591 (Old) and /work/SRC/openSUSE:13.1:Update/.autofs.3591.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "autofs.3591" Changes: -------- New Changes file: --- /dev/null 2015-02-28 12:43:00.252025756 +0100 +++ /work/SRC/openSUSE:13.1:Update/.autofs.3591.new/autofs.changes 2015-03-11 13:05:41.000000000 +0100 @@ -0,0 +1,1804 @@ +------------------------------------------------------------------- +Tue Mar 3 10:56:48 CET 2015 - mszer...@suse.cz + +- prevent potential privilege escalation via interpreter load path + for program-based automount maps, add the following patches: + autofs-5.1.0-add-a-prefix-to-program-map-stdvars.patch + autofs-5.1.0-add-config-option-to-force-use-of-program-map-stdvars.patch + (bnc#917977 CVE-2014-8169) + +------------------------------------------------------------------- +Fri Sep 19 13:24:08 UTC 2014 - lchiqui...@suse.com + +- update to stable release 5.0.9 (bnc#869806): + * fix ipv6 link local address handling + * fix fix ipv6 libtirpc getport + * get_nfs_info() should query portmapper if port is not given + * fix rpc_portmap_getport() proto not set + * fix protmap not trying proto v2 + * fix rpc_getport() when libtirpc is disabled + * fix rpc_getrpcbport() when libtirpc is disabled + * don't reset errno + * extend fix for crash due to thread unsafe use of libldap + * fix deadlock in init_ldap_connection + * fix options compare + * fix negative status being reset on map read + * check for existing offset mount before mounting + * fix max() declaration + * fix symlink fail message in mount_bind.c + * fix cache readlock not taken on lookup + * pass map_source as function paramter where possible + * check for bind onto self in mount_bind.c + * fix symlink expire + * dont clobber mapent for negative cache + * fix macro_addvar() and move init to main thread + * change walk_tree() to take ap + * add negative cache lookup to hesiod lookup + * fix external env configure + * make autofs(5) consistent with auto.master(5) + * fix map source with type lookup + * fix lookup_nss_mount() map lookup + * dont ignore null cache entries on multi mount umount + * fix inconsistent error returns in handle_packet_missing_direct() + * simple coverity fixes + * fix fix options compare + * use open(2) instead of access(2) to trigger dependent mounts + * fix fix map source with type lookup + * fixes for samples/auto.master + * fix variable substitution description + * fix incorrect append options description in README.v5-release + * add amd map format parser +- drop patches that are already included in the new version: + * autofs-5.0.8-upstream-patches-20131124.bz2 + * autofs-5.0.8-serialize-libldap-unbind.patch + * autofs-5.0.8-fix-serialize-libldap-init.patch + * autofs-5.0.8-eaccess.patch +- autofs-5.0.8-dbus-udisks-monitor.patch: refresh +- autofs-5.0.8-task-use-after-free.patch: refresh +- autofs-5.0.8-revert-fix-libtirpc-name-clash.patch: refresh +- autofs-suse-auto-master-defaults.patch: rename and refresh + +------------------------------------------------------------------- +Mon Mar 10 11:49:50 UTC 2014 - lchiqui...@suse.com + +- the update to version 5.0.8 also fixes the special -hosts map + (auto.net) in IPv6 environments (bnc#847207) + +------------------------------------------------------------------- +Wed Feb 19 01:25:05 CET 2014 - lchiqui...@suse.de + +- autofs-5.0.8-fix-serialize-libldap-init.patch: fix deadlock when + trying to lock mutex that's already owned by the same thread + (bnc#859969) +- autofs-5.0.8-serialize-libldap-unbind.patch: serialize LDAP unbind + operations, as they're also not thread-safe and could cause + segmentation faults (bnc#853469) + +------------------------------------------------------------------- +Wed Feb 19 01:24:50 CET 2014 - lchiqui...@suse.de + +- autofs-5.0.8-upstream-patches-20131124.bz2: update 5.0.8 upstream + patches up to 2013-11-24, fixing the following bugs: + * fix undefined authtype_requires_creds err if ldap enabled but + without sasl + * fix master map type check + * fix task manager not getting signaled + * allow --with-systemd to take a path arg + * fix WITH_LIBTIRPC function name + * fix ipv6 libtirpc getport + +------------------------------------------------------------------- +Wed Feb 19 01:24:31 CET 2014 - lchiqui...@suse.de + +- update to version 5.0.8: + * fix add null check in parse_server_string() + * check for protocol option + * use ulimit max open files if greater than internal maximum + * don't override LDFLAGS in make rules + * fix a couple of compiler warnings + * add after sssd dependency to unit file + * dont start readmap unless ready + * fix crash due to thread unsafe use of libldap (bnc#820585) + * fix compile error with heimdal support enabled + * fix typo forced-shutdown should be force-shutdown + * fix hesiod check error and use correct $(LIBS) setting + * fix dead LDAP symbolic link when LDAP support is disabled + * add missing libtirpc lib to mount_nfs.so when TIRPC enabled + * use compiler determined by configure instead of hard-coded ones + * remove hard-coded STRIP variable + * use LIBS for link libraries + * unbundle NOTSTRIP from DEBUG so they dont depend on each other + * fix occasional build error when enable parallel compiling + * fix compilation of lookup_ldap.c without sasl + * fix dumpmaps multi output + * try and cleanup after dumpmaps + * teach dumpmaps to output simple key value pairs + * fix syncronize handle_mounts() shutdown + * fix fix wildcard multi map regression + * improve timeout option description + * only probe specific nfs version when requested + * fix bad mkdir permission on create + * setup program map env from macro table + * add short host name standard marco variable + * allow use of hosts map in maps + * fix get_nfs_info() probe + * fix portmap lookup + * add std vars to program map invocation + * samples/auto.smb: add logic to obtain credentials +- autofs-5.0.8-dbus-udisks-monitor.patch: rebase on top of 5.0.8 +- autofs-5.0.7-fix-add-null-check-in-parse_server_stri.patch: drop +- autofs-suse-build.patch: drop + +------------------------------------------------------------------- +Fri Nov 8 16:14:58 UTC 2013 - arvidj...@gmail.com + +- autofs-5.0.7-fix-add-null-check-in-parse_server_stri.patch + Fix parsing of legacy LDAP map syntax (bnc#847494) + +------------------------------------------------------------------- +Sun Jul 7 17:27:39 UTC 2013 - lchiqui...@suse.com + +- autofs-5.0.7-upstream-patches-20130619.bz2: update 5.0.7 upstream + patches up to 2013-06-19, fixing some bugs: + * make dump maps check for duplicate indirect mounts + * document allowed map sources in auto.master + * add enable sloppy mount option to configure + * fix interface address null check + * don't probe rdma mounts + * fix master map mount options matching + * fix master map bogus keywork match + * fix fix map entry duplicate offset detection + * probe each nfs version in turn for singleton mounts + * fix probe each nfs version in turn for singleton mounts + * misc man page fixes + +------------------------------------------------------------------- +Sun Jun 16 02:25:35 UTC 2013 - jeng...@inai.de + +- Explicitly specify cyrus-sasl-devel and openssl-devel + which were implicit before + +------------------------------------------------------------------- +Sun May 12 10:02:05 UTC 2013 - lchiqui...@suse.com + +- autofs-5.0.7-upstream-patches-20130428.bz2: update 5.0.7 upstream + patches up to 2013-04-28, fixing some bugs: + * fix some automount(8) typos + * syncronize handle_mounts() shutdown + * fix submount tree not all expiring (bnc#801808) +- remove patches that are now upstream: + * autofs-5.0.7-fix-submount-tree-not-all-expiring.patch + +------------------------------------------------------------------- +Tue Apr 9 20:43:54 UTC 2013 - lchiqui...@suse.com + +- autofs-5.0.7-fix-submount-tree-not-all-expiring.patch: expire + multiple levels of recursive mounts correctly (bnc#801808) + +------------------------------------------------------------------- +Mon Mar 11 13:36:06 UTC 2013 - lchiqui...@suse.com + +- autofs-5.0.7-upstream-patches-20130311.bz2: update 5.0.7 upstream + patches to 20130311, fixing some bugs: + * dont fail on master map self include (bnc#799873) + * fix wildcard multi map regression + * fix file descriptor leak when reloading the daemon (bnc#772698) + * deprecate nosymlink pseudo option + * add symlink pseudo option + * document browse option in man page + +------------------------------------------------------------------- +Wed Feb 6 21:30:49 UTC 2013 - lchiqui...@suse.com + +- autofs-5.0.6-invalid-ghost-dirs.patch: delete. the problem's + root cause was fixed in the kernel + +------------------------------------------------------------------- +Tue Jan 29 16:38:22 UTC 2013 - lchiqui...@suse.com ++++ 1607 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.autofs.3591.new/autofs.changes New: ---- NetworkManager-autofs README.SUSE README.SUSE.ldap autofs-5.0.8-dbus-udisks-monitor.patch autofs-5.0.8-revert-fix-libtirpc-name-clash.patch autofs-5.0.8-task-use-after-free.patch autofs-5.0.9.tar.xz autofs-5.1.0-add-a-prefix-to-program-map-stdvars.patch autofs-5.1.0-add-config-option-to-force-use-of-program-map-stdvars.patch autofs-rpmlintrc autofs-suse-auto-master-defaults.patch autofs-suse-build.patch autofs.changes autofs.init autofs.schema autofs.service autofs.spec get-upstream-patches org.freedesktop.AutoMount.conf sysconfig.autofs ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ autofs.spec ++++++ # # spec file for package autofs # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %if 0%{?suse_version} >= 1220 %define with_systemd 1 %else %define with_systemd 0 %endif %if 0%{?suse_version} >= 1140 %define with_udisks 1 %else %define with_udisks 0 %endif %if 0%{?suse_version} >= 1230 %define with_sssd 1 %else %define with_sssd 0 %endif Name: autofs Url: http://www.kernel.org/pub/linux/daemons/autofs/v5/ BuildRequires: autoconf BuildRequires: bison BuildRequires: cyrus-sasl-devel BuildRequires: dbus-1-devel BuildRequires: e2fsprogs BuildRequires: flex BuildRequires: krb5-devel BuildRequires: libopenssl-devel BuildRequires: libtirpc-devel BuildRequires: libxml2-devel BuildRequires: module-init-tools BuildRequires: nfs-client BuildRequires: openldap2-devel BuildRequires: pkg-config %if %{with_sssd} BuildRequires: sssd %endif %if %{with_udisks} BuildRequires: udisks-devel %endif %if %{with_systemd} BuildRequires: systemd %endif Version: 5.0.9 Release: 0 Summary: A Kernel-Based Automounter License: GPL-2.0+ Group: System/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-build Source: ftp://ftp.kernel.org/pub/linux/daemons/autofs/v5/%{name}-%{version}.tar.xz Source1: sysconfig.autofs Source2: autofs.init Source3: autofs.schema Source4: README.SUSE.ldap Source5: README.SUSE Source6: autofs.service Source7: NetworkManager-autofs Source8: get-upstream-patches Source42: org.freedesktop.AutoMount.conf Source100: autofs-rpmlintrc # PATCH-FIX-OPENSUSE autofs-5.0.8-revert-fix-libtirpc-name-clash.patch Patch1: autofs-5.0.8-revert-fix-libtirpc-name-clash.patch # PATCH-FIX-UPSTREAM autofs-5.0.8-task-use-after-free.patch [bnc#727392] Patch82: autofs-5.0.8-task-use-after-free.patch Patch84: autofs-5.1.0-add-a-prefix-to-program-map-stdvars.patch Patch85: autofs-5.1.0-add-config-option-to-force-use-of-program-map-stdvars.patch # PATCH-FIX-OPENSUSE autofs-suse-auto-master-defaults.patch Patch100: autofs-suse-auto-master-defaults.patch # PATCH-EXTEND-OPENSUSE autofs-5.0.8-dbus-udisks-monitor.patch Patch102: autofs-5.0.8-dbus-udisks-monitor.patch Requires(pre): %fillup_prereq Requires(pre): %insserv_prereq Requires(pre): aaa_base %if %{with_systemd} %{?systemd_requires} %endif Recommends: nfs-client %description AutoFS is a kernel-based automounter for Linux. It automatically mounts filesystems when you use them, and unmounts them later when you are not using them. This can include network filesystems, CD-ROMs, floppies, and so forth. %prep %setup -q cp %{SOURCE3} . cp %{SOURCE4} . cp %{SOURCE5} . # %patch1 -p1 %patch82 -p1 %patch84 -p1 %patch85 -p1 %patch100 -p1 %patch102 -p0 -b .udisks %build SUSE_ASNEEDED=0 %configure %{_target_cpu}-suse-linux \ --libdir=%{_libdir} --mandir=%{_mandir} \ --with-confdir=/etc/sysconfig \ --disable-mount-locking \ --enable-forced-shutdown \ --enable-ignore-busy \ %if %{with_systemd} --with-systemd \ %endif --with-libtirpc \ --with-hesiod=no \ --with-sasl make all DONTSTRIP=1 LOCAL_CFLAGS="%{optflags} %(getconf LFS_CFLAGS)" \ %{?_smp_mflags} %install make install INSTALLROOT=%{buildroot} install -d -m 755 %{buildroot}%{_sysconfdir}/auto.master.d install -D -m 644 %{SOURCE1} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.autofs install -D -m 755 %{SOURCE7} %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/autofs install -D -m 755 %{SOURCE2} %{buildroot}%{_sysconfdir}/init.d/autofs ln -s ../../etc/init.d/autofs %{buildroot}%{_sbindir}/rcautofs ln -s %{_mandir}/man8/autofs.8.gz %{buildroot}/%{_mandir}/man8/rcautofs.8.gz %if %{with_systemd} install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/autofs.service %endif %if 0%{?suse_version} >= 1230 install -D -m 644 %{SOURCE42} %{buildroot}%{_sysconfdir}/dbus-1/system.d/org.freedesktop.AutoMount.conf %endif # will be installed by fillup scripts rm -f %{buildroot}%{_sysconfdir}/sysconfig/autofs %pre %if %{with_systemd} %service_add_pre %{name}.service %endif %post if /sbin/chkconfig -c autofs 3; then %{insserv_force_if_yast autofs} fi %{fillup_only -n autofs} %if %{with_systemd} %service_add_post %{name}.service %endif %preun %{stop_on_removal autofs} %if %{with_systemd} %service_del_preun %{name}.service %endif %postun %{restart_on_update autofs} %{insserv_cleanup} %if %{with_systemd} %service_del_postun %{name}.service %endif %files %defattr (-, root, root) %{_localstatedir}/adm/fillup-templates/sysconfig.autofs %config(noreplace) %{_sysconfdir}/auto.master %config(noreplace) %{_sysconfdir}/auto.misc %config(noreplace) %{_sysconfdir}/auto.net %config(noreplace) %{_sysconfdir}/auto.smb %config(noreplace) %{_sysconfdir}/autofs_ldap_auth.conf %config %{_sysconfdir}/init.d/autofs %if 0%{?suse_version} >= 1230 %config %{_sysconfdir}/dbus-1/system.d/org.freedesktop.AutoMount.conf %endif %dir %{_sysconfdir}/auto.master.d %dir %{_sysconfdir}/NetworkManager %dir %{_sysconfdir}/NetworkManager/dispatcher.d %{_sysconfdir}/NetworkManager/dispatcher.d/autofs %doc COPYRIGHT README README.changer README.ncpfs README.replicated-server %doc README.smbfs README.v5.release autofs.schema README.active-restart %doc README.SUSE README.SUSE.ldap %dir %{_libdir}/autofs/ %{_libdir}/autofs/ %{_mandir}/man5/* %{_mandir}/man8/* %{_sbindir}/automount %{_sbindir}/rcautofs %if %{with_systemd} %{_unitdir}/autofs.service %endif %changelog ++++++ NetworkManager-autofs ++++++ #! /bin/sh # # autofs dispatcher script for NetworkManager # # Matthias Koenig <mkoe...@suse.de> # . /etc/rc.status case "$2" in up) if test -x /bin/systemctl && systemctl -q is-enabled autofs.service; then systemctl restart autofs.service elif rc_active autofs; then /etc/init.d/autofs restart fi ;; *) exit 0 ;; esac ++++++ README.SUSE ++++++ autofs5 is a major update with lots of code changes and new features. Most of the changes enhance the functionality to be more compliant with current industry standards. Here is a list of the most important changes: Differences v4 vs. v5 --------------------- - Master map is now read and parsed by the `automount' daemon - The master map default is "auto.master" and nsswitch is used to locate it. The line "+auto.master" has been added to the default installed "/etc/auto.master" to ensure that those using NIS will still find their master map. This is in line with other industry automount implementations. - The `automount' daemon is now a multi-threaded application - `autofs' filesystem mounts only appear in /proc/mounts and not /etc/mtab. - `autofs' version 5.0.0 will refuse to run if it cannot find an autofs4 kernel module that supports protocol version 5.00 or above. - mount options present in the master map are now overridden by mount options in map entries instead of being accumulated. This behaviour is in line with other industry automount implementations. New features in v5 ------------------ - improved direct mount map support - `+' map inclusion - added nsswitch map source support - rewrote multi-mount map code - added LDAP encryption and authentication support - improved shutdown and restart - a "hosts" map module has been added Update hints ============ Since autofs now uses nsswitch to locate the master map, the sysconfig variable NISMASTERMAP is obsolete. Also the UNDERSCORETODOT parameter is not support anymore. Some new sysconfig parameters are available, please take a look to /etc/sysconfig/autofs. Note also, that the old Suse config syntax style is not supported anymore. If you had a configuration like /mnt yp auto.home [options] you'll have to change this to /mnt yp:auto.home [options] ++++++ README.SUSE.ldap ++++++ Autofs with ldap ---------------- You can configure autofs via LDAP using the nis.schema or rfc2307bis.schema. You can find this schema at /etc/openldap/schema/nis.schema and /etc/openldap/schema/rfc2307bis.schema resp. 1. Change the "automount:" entry in /etc/nsswitch.conf to automount: files ldap 2. Configure your /etc/openldap/ldap.conf include /etc/openldap/schema/rfc2307bis.schema or include /etc/openldap/schema/nis.schema 3. Create the neccessary entry in LDAP Here is an example ldif to mount the whole /home per autofs: --------------------- begin ------------------------------------------------ dn: ou=AUTOFS,dc=example,dc=org objectClass: organizationalUnit ou: AUTOFS dn: nisMapName=auto.master,ou=AUTOFS,dc=example,dc=org objectClass: nisMap nisMapName: auto.master dn: cn=/mounts,nisMapName=auto.master,ou=AUTOFS,dc=example,dc=org objectClass: nisObject nisMapName: auto.master cn: /mounts nisMapEntry: ldap ldapserver.example.org:nisMapName=auto.mounts,ou=AUTOFS,dc=example,dc=org dn: nisMapName=auto.mounts,ou=AUTOFS,dc=example,dc=org objectClass: nisMap nisMapName: auto.mounts dn: cn=home,nisMapName=auto.mounts,ou=AUTOFS,dc=example,dc=org objectClass: nisObject nisMapName: auto.mounts cn: home nisMapEntry: -fstype=nfs,hard,intr,nodev,nosuid nfsserver.example.org:/home --------------------- end -------------------------------------------------- ++++++ autofs-5.0.8-dbus-udisks-monitor.patch ++++++ ++++ 3151 lines (skipped) ++++++ autofs-5.0.8-revert-fix-libtirpc-name-clash.patch ++++++ autofs-5.0.6 - fix libtirpc name clash From: Ian Kent <ik...@redhat.com> The tirpc function auth_destroy() is a macro definition in tirpc/rpc/auth.h which includes an unconditional call to a function log_debug() which clashes with an autofs function of the same name and has a different call signature. To fix it redefine auth_destroy() and exclude the debug log call. --- CHANGELOG | 1 + lib/rpc_subs.c | 10 ++++++++++ 2 files changed, 11 insertions(+), 0 deletions(-) Index: autofs-5.0.9/lib/rpc_subs.c =================================================================== --- autofs-5.0.9.orig/lib/rpc_subs.c +++ autofs-5.0.9/lib/rpc_subs.c @@ -34,16 +34,6 @@ #include <poll.h> #ifdef WITH_LIBTIRPC -#undef auth_destroy -#define auth_destroy(auth) \ - do { \ - int refs; \ - if ((refs = auth_put((auth))) == 0) \ - ((*((auth)->ah_ops->ah_destroy))(auth));\ - } while (0) -#endif - -#ifdef WITH_LIBTIRPC const rpcprog_t rpcb_prog = RPCBPROG; const rpcvers_t rpcb_version = RPCBVERS; #else Index: autofs-5.0.9/CHANGELOG =================================================================== --- autofs-5.0.9.orig/CHANGELOG +++ autofs-5.0.9/CHANGELOG @@ -181,7 +181,6 @@ - fix kernel verion check of version components. - dont retry ldap connect if not required. - fix initialization in rpc create_client(). -- fix libtirpc name clash. - check if /etc/mtab is a link to /proc/self/mounts. - fix nfs4 contacts portmap. - make autofs wait longer for shutdown completion. ++++++ autofs-5.0.8-task-use-after-free.patch ++++++ From: Leonardo Chiquitto <lchiqui...@suse.com> Subject: fix segmentation fault in st_queue_handler() References: bnc#727392 Index: autofs-5.0.9/daemon/state.c =================================================================== --- autofs-5.0.9.orig/daemon/state.c +++ autofs-5.0.9/daemon/state.c @@ -1171,12 +1171,12 @@ remove: struct state_queue, pending); list_del(&task->list); - free(task); list_del_init(&next->pending); list_add_tail(&next->list, head); if (p == head) p = head->next; + free(task); } if (list_empty(head)) ++++++ autofs-5.1.0-add-a-prefix-to-program-map-stdvars.patch ++++++ autofs-5.1.0 - add a prefix to program map stdvars From: Ian Kent <ik...@redhat.com> When a program map uses an interpreted languages like python it's possible to load and execute arbitray code from a user home directory. This is because the standard environment variables are used to locate and load modules when using these languages. To avoid that we need to add a prefix to these environment names so they aren't used for this purpose. The prefix used is "AUTOFS_" and is not configurable. --- include/mounts.h | 4 +- lib/mounts.c | 84 +++++++++++++++++++++++++++++++++++++++-------- modules/lookup_program.c | 2 - modules/parse_sun.c | 8 ++-- 4 files changed, 77 insertions(+), 21 deletions(-) --- a/include/mounts.h +++ b/include/mounts.h @@ -85,8 +85,8 @@ unsigned int linux_version_code(void); int check_nfs_mount_version(struct nfs_mount_vers *, struct nfs_mount_vers *); extern unsigned int nfs_mount_uses_string_options; -struct substvar *addstdenv(struct substvar *sv); -struct substvar *removestdenv(struct substvar *sv); +struct substvar *addstdenv(struct substvar *sv, const char *prefix); +struct substvar *removestdenv(struct substvar *sv, const char *prefix); unsigned int query_kproto_ver(void); unsigned int get_kver_major(void); --- a/lib/mounts.c +++ b/lib/mounts.c @@ -31,6 +31,7 @@ #define MAX_OPTIONS_LEN 80 #define MAX_MNT_NAME_LEN 30 +#define MAX_ENV_NAME 15 #define EBUFSIZ 1024 @@ -303,7 +304,61 @@ int check_nfs_mount_version(struct nfs_m } #endif -struct substvar *addstdenv(struct substvar *sv) +static char *set_env_name(const char *prefix, const char *name, char *buf) +{ + size_t len; + + len = strlen(name); + if (prefix) + len += strlen(prefix); + len++; + + if (len > MAX_ENV_NAME) + return NULL; + + if (!prefix) + strcpy(buf, name); + else { + strcpy(buf, prefix); + strcat(buf, name); + } + return buf; +} + +static struct substvar *do_macro_addvar(struct substvar *list, + const char *prefix, + const char *name, + const char *val) +{ + char buf[MAX_ENV_NAME + 1]; + char *new; + size_t len; + + new = set_env_name(prefix, name, buf); + if (new) { + len = strlen(new); + list = macro_addvar(list, new, len, val); + } + return list; +} + +static struct substvar *do_macro_removevar(struct substvar *list, + const char *prefix, + const char *name) +{ + char buf[MAX_ENV_NAME + 1]; + char *new; + size_t len; + + new = set_env_name(prefix, name, buf); + if (new) { + len = strlen(new); + list = macro_removevar(list, new, len); + } + return list; +} + +struct substvar *addstdenv(struct substvar *sv, const char *prefix) { struct substvar *list = sv; struct thread_stdenv_vars *tsv; @@ -318,14 +373,14 @@ struct substvar *addstdenv(struct substv num = (long) tsv->uid; ret = sprintf(numbuf, "%ld", num); if (ret > 0) - list = macro_addvar(list, "UID", 3, numbuf); + list = do_macro_addvar(list, prefix, "UID", numbuf); num = (long) tsv->gid; ret = sprintf(numbuf, "%ld", num); if (ret > 0) - list = macro_addvar(list, "GID", 3, numbuf); - list = macro_addvar(list, "USER", 4, tsv->user); - list = macro_addvar(list, "GROUP", 5, tsv->group); - list = macro_addvar(list, "HOME", 4, tsv->home); + list = do_macro_addvar(list, prefix, "GID", numbuf); + list = do_macro_addvar(list, prefix, "USER", tsv->user); + list = do_macro_addvar(list, prefix, "GROUP", tsv->group); + list = do_macro_addvar(list, prefix, "HOME", tsv->home); mv = macro_findvar(list, "HOST", 4); if (mv) { char *shost = strdup(mv->val); @@ -333,7 +388,8 @@ struct substvar *addstdenv(struct substv char *dot = strchr(shost, '.'); if (dot) *dot = '\0'; - list = macro_addvar(list, "SHOST", 5, shost); + list = do_macro_addvar(list, + prefix, "SHOST", shost); free(shost); } } @@ -341,16 +397,16 @@ struct substvar *addstdenv(struct substv return list; } -struct substvar *removestdenv(struct substvar *sv) +struct substvar *removestdenv(struct substvar *sv, const char *prefix) { struct substvar *list = sv; - list = macro_removevar(list, "UID", 3); - list = macro_removevar(list, "USER", 4); - list = macro_removevar(list, "HOME", 4); - list = macro_removevar(list, "GID", 3); - list = macro_removevar(list, "GROUP", 5); - list = macro_removevar(list, "SHOST", 5); + list = do_macro_removevar(list, prefix, "UID"); + list = do_macro_removevar(list, prefix, "USER"); + list = do_macro_removevar(list, prefix, "HOME"); + list = do_macro_removevar(list, prefix, "GID"); + list = do_macro_removevar(list, prefix, "GROUP"); + list = do_macro_removevar(list, prefix, "SHOST"); return list; } --- a/modules/lookup_program.c +++ b/modules/lookup_program.c @@ -274,7 +274,7 @@ int lookup_mount(struct autofs_point *ap if (ctxt->mapfmt && strcmp(ctxt->mapfmt, "MAPFMT_DEFAULT")) { struct parse_context *pctxt = (struct parse_context *) ctxt->parse->context; /* Add standard environment as seen by sun map parser */ - pctxt->subst = addstdenv(pctxt->subst); + pctxt->subst = addstdenv(pctxt->subst, "AUTOFS_"); macro_setenv(pctxt->subst); } execl(ctxt->mapname, ctxt->mapname, name, NULL); --- a/modules/parse_sun.c +++ b/modules/parse_sun.c @@ -1214,12 +1214,12 @@ int parse_mount(struct autofs_point *ap, pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &cur_state); macro_lock(); - ctxt->subst = addstdenv(ctxt->subst); + ctxt->subst = addstdenv(ctxt->subst, NULL); mapent_len = expandsunent(mapent, NULL, name, ctxt->subst, slashify); if (mapent_len == 0) { error(ap->logopt, MODPREFIX "failed to expand map entry"); - ctxt->subst = removestdenv(ctxt->subst); + ctxt->subst = removestdenv(ctxt->subst, NULL); macro_unlock(); pthread_setcancelstate(cur_state, NULL); return 1; @@ -1229,7 +1229,7 @@ int parse_mount(struct autofs_point *ap, if (!pmapent) { char *estr = strerror_r(errno, buf, MAX_ERR_BUF); logerr(MODPREFIX "alloca: %s", estr); - ctxt->subst = removestdenv(ctxt->subst); + ctxt->subst = removestdenv(ctxt->subst, NULL); macro_unlock(); pthread_setcancelstate(cur_state, NULL); return 1; @@ -1237,7 +1237,7 @@ int parse_mount(struct autofs_point *ap, pmapent[mapent_len] = '\0'; expandsunent(mapent, pmapent, name, ctxt->subst, slashify); - ctxt->subst = removestdenv(ctxt->subst); + ctxt->subst = removestdenv(ctxt->subst, NULL); macro_unlock(); pthread_setcancelstate(cur_state, NULL); ++++++ autofs-5.1.0-add-config-option-to-force-use-of-program-map-stdvars.patch ++++++ autofs-5.1.0 - add config option to force use of program map stdvars From: Ian Kent <ik...@redhat.com> Enabling the extended environment (including $HOME, for example) for program maps opens automount(8) to a privilege escalation. Rather than just removing the entended environment a configuration option is added to disable it by default so that those who wish to use it can do so if they wish. --- include/defaults.h | 2 ++ lib/defaults.c | 12 ++++++++++++ man/auto.master.5.in | 8 ++++++++ man/autofs.5 | 5 +++++ modules/lookup_program.c | 14 +++++++++++++- samples/autofs.conf.default.in | 11 +++++++++++ 6 files changed, 51 insertions(+), 1 deletion(-) --- a/include/defaults.h +++ b/include/defaults.h @@ -28,6 +28,7 @@ #define DEFAULT_UMOUNT_WAIT 12 #define DEFAULT_BROWSE_MODE 1 #define DEFAULT_LOGGING 0 +#define DEFAULT_FORCE_STD_PROG_MAP_ENV 0 #define DEFAULT_LDAP_TIMEOUT -1 #define DEFAULT_LDAP_NETWORK_TIMEOUT 8 @@ -62,6 +63,7 @@ unsigned int defaults_get_timeout(void); unsigned int defaults_get_negative_timeout(void); unsigned int defaults_get_browse_mode(void); unsigned int defaults_get_logging(void); +unsigned int defaults_force_std_prog_map_env(void); const char *defaults_get_ldap_server(void); unsigned int defaults_get_ldap_timeout(void); unsigned int defaults_get_ldap_network_timeout(void); --- a/lib/defaults.c +++ b/lib/defaults.c @@ -35,6 +35,7 @@ #define ENV_NAME_NEGATIVE_TIMEOUT "NEGATIVE_TIMEOUT" #define ENV_NAME_BROWSE_MODE "BROWSE_MODE" #define ENV_NAME_LOGGING "LOGGING" +#define ENV_NAME_FORCE_STD_PROG_MAP_ENV "FORCE_STANDARD_PROGRAM_MAP_ENV" #define LDAP_URI "LDAP_URI" #define ENV_LDAP_TIMEOUT "LDAP_TIMEOUT" @@ -629,6 +630,17 @@ unsigned int defaults_get_logging(void) return logging; } +unsigned int defaults_force_std_prog_map_env(void) +{ + int res; + + res = get_env_yesno(ENV_NAME_FORCE_STD_PROG_MAP_ENV); + if (res < 0) + res = DEFAULT_FORCE_STD_PROG_MAP_ENV; + + return res; +} + unsigned int defaults_get_ldap_timeout(void) { int res; --- a/man/autofs.5 +++ b/man/autofs.5 @@ -189,6 +189,11 @@ SHOST Short hostname (domain part remove .fi .RE .sp +If a program map is used these standard environment variables will have +a prefix of "AUTOFS_" to prevent interpreted languages like python from +being able to load and execute arbitray code from a user home directory. +.RE +.sp Additional entries can be defined with the -Dvariable=Value map-option to .BR automount (8). .SS Executable Maps --- a/man/auto.master.5.in +++ b/man/auto.master.5.in @@ -253,6 +253,14 @@ options replace the global options (prog .TP .B LOGGING set default log level "none", "verbose" or "debug" (program default "none"). +.TP +.B FORCE_STANDARD_PROGRAM_MAP_ENV +override the use of a prefix with standard environment variables when a +program map is executed. Since program maps are run as the privileded +user setting these standard environment variables opens automount(8) to +potential user privilege escalation when the program map is written in a +language that can load components from, for example, a user home directory +(program default "no"). .SH BUILTIN MAP -hosts If "-hosts" is given as the map then accessing a key under the mount point which corresponds to a hostname will allow access to the exports of that --- a/modules/lookup_program.c +++ b/modules/lookup_program.c @@ -132,6 +132,7 @@ int lookup_mount(struct autofs_point *ap int ret = 1; int distance; int alloci = 1; + char *prefix; source = ap->entry->current; ap->entry->current = NULL; @@ -267,6 +268,17 @@ int lookup_mount(struct autofs_point *ap warn(ap->logopt, MODPREFIX "failed to set PWD to %s for map %s", ap->path, ctxt->mapname); + + /* + * By default use a prefix with standard environment + * variables to prevent system subversion by interpreted + * languages. + */ + if (defaults_force_std_prog_map_env()) + prefix = NULL; + else + prefix = "AUTOFS_"; + /* * MAPFMT_DEFAULT must be "sun" for ->parse_init() to have setup * the macro table. @@ -274,7 +286,7 @@ int lookup_mount(struct autofs_point *ap if (ctxt->mapfmt && strcmp(ctxt->mapfmt, "MAPFMT_DEFAULT")) { struct parse_context *pctxt = (struct parse_context *) ctxt->parse->context; /* Add standard environment as seen by sun map parser */ - pctxt->subst = addstdenv(pctxt->subst, "AUTOFS_"); + pctxt->subst = addstdenv(pctxt->subst, prefix); macro_setenv(pctxt->subst); } execl(ctxt->mapname, ctxt->mapname, name, NULL); --- a/samples/autofs.conf.default.in +++ b/samples/autofs.conf.default.in @@ -50,6 +50,17 @@ BROWSE_MODE="no" # #LOGGING="none" # +# FORCE_STANDARD_PROGRAM_MAP_ENV - disable the use of the "AUTOFS_" +# prefix for standard environemt variables when +# executing a program map. Since program maps +# are run as the privileded user this opens +# automount(8) to potential user privilege +# escalation when the program map is written +# in a language that can load components from, +# for example, a user home directory. +# +#FORCE_STANDARD_PROGRAM_MAP_ENV="no" +# # Define server URIs # # LDAP_URI - space seperated list of server uris of the form ++++++ autofs-rpmlintrc ++++++ addFilter(".*suse-dbus-unauthorized-service.*org\.freedesktop\.AutoMount\.conf.*") ++++++ autofs-suse-auto-master-defaults.patch ++++++ Index: autofs-5.0.9/samples/auto.master =================================================================== --- autofs-5.0.9.orig/samples/auto.master +++ autofs-5.0.9/samples/auto.master @@ -4,18 +4,18 @@ # mount-point [map-type[,format]:]map [options] # For details of the format look at auto.master(5). # -/misc /etc/auto.misc +#/misc /etc/auto.misc # # NOTE: mounts done from a hosts map will be mounted with the # "nosuid" and "nodev" options unless the "suid" and "dev" # options are explicitly given. # -/net -hosts +#/net -hosts # # Include /etc/auto.master.d/*.autofs # The included files must conform to the format of this file. # -+dir:/etc/auto.master.d +#+dir:/etc/auto.master.d # # Include central master map if it can be found using # nsswitch sources. ++++++ autofs-suse-build.patch ++++++ Index: autofs-5.0.7/Makefile.conf.in =================================================================== --- autofs-5.0.7.orig/Makefile.conf.in +++ autofs-5.0.7/Makefile.conf.in @@ -7,6 +7,8 @@ # build autofs. # +CFLAGS = $(LOCAL_CFLAGS) + # Do we build with -fpie? DAEMON_CFLAGS = @DAEMON_CFLAGS@ DAEMON_LDFLAGS = @DAEMON_LDFLAGS@ Index: autofs-5.0.7/daemon/Makefile =================================================================== --- autofs-5.0.7.orig/daemon/Makefile +++ autofs-5.0.7/daemon/Makefile @@ -30,7 +30,7 @@ endif all: automount automount: $(OBJS) $(AUTOFS_LIB) - $(CC) $(LDFLAGS) $(DAEMON_LDFLAGS) -o automount $(OBJS) $(AUTOFS_LIB) $(LIBS) + $(CC) $(CFLAGS) $(LDFLAGS) $(DAEMON_LDFLAGS) -o automount $(OBJS) $(AUTOFS_LIB) $(LIBS) $(STRIP) automount clean: Index: autofs-5.0.7/Makefile.rules =================================================================== --- autofs-5.0.7.orig/Makefile.rules +++ autofs-5.0.7/Makefile.rules @@ -44,8 +44,7 @@ CXXFLAGS = $(CFLAGS) LD = ld SOLDFLAGS = -shared -CFLAGS += -D_REENTRANT -D_FILE_OFFSET_BITS=64 -LDFLAGS += -lpthread +CFLAGS += -D_REENTRANT -D_FILE_OFFSET_BITS=64 -pthread ifdef TIRPCLIB CFLAGS += -I/usr/include/tirpc ++++++ autofs.init ++++++ #!/bin/bash # # Copyright (C) 2011 SUSE Linux Products GmbH, Nuernberg, Germany. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # ### BEGIN INIT INFO # Provides: autofs # Required-Start: $network $syslog $remote_fs # Should-Start: $portmap ypbind keyserv ldap nfsserver network-remotefs # Required-Stop: $network $syslog $remote_fs # Should-Stop: $portmap ypbind keyserv ldap nfsserver network-remotefs # Default-Start: 3 5 # Default-Stop: # Short-Description: automatic mounting of filesystems # Description: Start the autofs daemon for automatic mounting of filesystems. ### END INIT INFO # # Location of the automount daemon and the init directory # DAEMON=/usr/sbin/automount prog=`basename $DAEMON` MODULE="autofs4" DEVICE="autofs" confdir=/etc/sysconfig PIDFILE=/var/run/automount.pid test -x $DAEMON || exit 5 PATH=/sbin:/usr/sbin:/bin:/usr/bin export PATH . /etc/rc.status # # Load customized configuration settings # if [ -r $confdir/autofs ]; then . $confdir/autofs fi function start() { # Make sure autofs4 module is loaded if ! grep -q autofs /proc/filesystems; then # Try load the autofs4 module fail if we can't modprobe -q $MODULE >/dev/null 2>&1 if [ $? -eq 1 ]; then echo "Error: failed to load $MODULE module." return 1 fi fi # Use the AutoFS misc device unless it is explicitly disabled if [ -z "$USE_MISC_DEVICE" -o "x$USE_MISC_DEVICE" = "xyes" ]; then if [ -e "/proc/misc" ]; then if ! grep -q autofs /proc/misc; then sleep 1 fi MINOR=`awk "/$DEVICE/ {print \\$1}" /proc/misc` if [ -n "$MINOR" -a ! -c "/dev/$DEVICE" ]; then mknod -m 0600 /dev/$DEVICE c 10 $MINOR fi fi if [ -x /sbin/restorecon -a -c /dev/$DEVICE ]; then /sbin/restorecon /dev/$DEVICE fi else if [ -c /dev/$DEVICE ]; then rm /dev/$DEVICE fi fi if [ "$LOCAL_OPTIONS" ]; then AUTOFS_OPTIONS="-O $LOCAL_OPTIONS $AUTOFS_OPTIONS" fi /sbin/startproc -w $DAEMON -p $PIDFILE $AUTOFS_OPTIONS return $? } function stop() { # Send SIGTERM first and set a maximum wait time of 45 seconds # before sending SIGKILL /sbin/killproc -t 45 -p $PIDFILE $DAEMON } RETVAL=0 case "$1" in start) echo -n "Starting $prog " # Check if already running if ! /sbin/checkproc $DAEMON; then start fi rc_status -v ;; stop) echo -n "Shutting down $prog " stop rc_status -v ;; try-restart|condrestart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). if test "$1" = "condrestart"; then echo "${attn}Use try-restart ${done}(LSB)${attn}${norm}" fi $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart) $0 stop $0 start rc_status ;; force-reload|reload) echo -n "Reload service $prog " /sbin/killproc -HUP $DAEMON rc_status -v ;; status) echo -n "Checking for service $prog " /sbin/checkproc $DAEMON # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|reload}" exit 1 ;; esac rc_exit ++++++ autofs.schema ++++++ # Depends upon core.schema and cosine.schema # OID Base is 1.3.6.1.4.1.2312.4 # # Attribute types are under 1.3.6.1.4.1.2312.4.1 # Object classes are under 1.3.6.1.4.1.2312.4.2 # Syntaxes are under 1.3.6.1.4.1.2312.4.3 # Attribute Type Definitions attributetype ( 1.3.6.1.1.1.1.25 NAME 'automountInformation' DESC 'Information used by the autofs automounter' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) objectclass ( 1.3.6.1.1.1.1.13 NAME 'automount' SUP top STRUCTURAL DESC 'An entry in an automounter map' MUST ( cn $ automountInformation $ objectclass ) MAY ( description ) ) objectclass ( 1.3.6.1.4.1.2312.4.2.2 NAME 'automountMap' SUP top STRUCTURAL DESC 'An group of related automount objects' MUST ( ou ) ) ++++++ autofs.service ++++++ [Unit] Description=Automounts filesystems on demand After=network.target remote-fs.target ypbind.service [Service] Type=forking PIDFile=/var/run/automount.pid EnvironmentFile=-/etc/sysconfig/autofs ExecStart=/usr/sbin/automount ${AUTOFS_OPTIONS} -p /var/run/automount.pid ExecReload=/usr/bin/kill -HUP $MAINPID TimeoutSec=180 [Install] WantedBy=multi-user.target ++++++ get-upstream-patches ++++++ #! /bin/bash # # get autofs upstream patched from # http://www.kernel.org/pub/linux/daemons/autofs/v5/patches-$version/ # and cat them in one bzipped file # autofs-$LATEST_RELEASE-upstream-patches-$DATE # where DATE is the date of the top patch in the series # # usage: get-upstream-patches LATEST_RELEASE="5.0.7" NEXT_RELEASE="5.0.8" BASE=http://www.kernel.org/pub/linux/daemons/autofs/v5/patches-$NEXT_RELEASE/ SERIES=patch_order-$LATEST_RELEASE WGET_OPTS=-q PATCHDIR=upstream-patches-$LATEST_RELEASE CURRENT=$PWD DELIMITER=$(mktemp) test -x /usr/bin/wget || { echo "wget is missing!"; exit 1; } test -x /usr/bin/bzip2 || { echo "bzip2 is missing!"; exit 1; } test -x /usr/bin/sed || { echo "sed is missing!"; exit 1; } test -d $PATCHDIR || mkdir $PATCHDIR pushd $PATCHDIR > /dev/null 2>&1 rm -f $SERIES echo "retrieving series file $SERIES" wget $WGET_OPTS $BASE/$SERIES sed -i '/^#/d' $SERIES while read patch do if test -r "$patch"; then echo "$patch ...skipping" else echo "$patch ...retrieving" wget $WGET_OPTS $BASE/$patch fi done < $SERIES LAST=$(sed -e "/^$/d" $SERIES | tail -n 1) DATE=$(stat -c "%y" $LAST | cut -d' ' -f 1 | sed "s/-//g") echo > $DELIMITER echo "----------" >> $DELIMITER echo >> $DELIMITER cat $SERIES $DELIMITER $(cat $SERIES) > $CURRENT/autofs-$LATEST_RELEASE-upstream-patches-$DATE rm -f $DELIMITER bzip2 $CURRENT/autofs-$LATEST_RELEASE-upstream-patches-$DATE popd > /dev/null 2>&1 ++++++ sysconfig.autofs ++++++ ## Path: System/File systems/Autofs ## Description: General global options. ## Type: string ## Default: "" ## ServiceReload: autofs # AUTOFS_OPTIONS="" ## Description: Default mount options. ## Type: string ## Default: "" # # Default mount options which are appended or replaced to # each map entry (see also APPEND_OPTIONS). LOCAL_OPTIONS="" ## Description: Append or replace options. ## Type: string ## Default: "yes" # # Determine whether LOCAL_OPTIONS are appended to map entry options # or if the map entry options replace the global options # (program default "yes", append options). APPEND_OPTIONS="yes" ## Description: Use AutoFS miscellaneous device (/dev/autofs). ## Type: string ## Default: "yes" # # Determine whether the AutoFS misc device (/dev/autofs) will be used # for routing ioctl commands. Requires kernel support (2.6.28 and newer). USE_MISC_DEVICE="yes" ## Description: Default map name for the master map. ## Type: string ## Default: "auto.master" # DEFAULT_MASTER_MAP_NAME="auto.master" ## Description: Set the default mount timeout. ## Type: integer(0:) ## Default: 600 # DEFAULT_TIMEOUT=600 ## Description: Set the default negative timeout for failed mount attempts. ## Type: integer(0:) ## Default: 60 # #DEFAULT_NEGATIVE_TIMEOUT=60 ## Description: Time to wait for a response from mount(8). ## Type: integer(-1:) ## Default: -1 # # Setting this timeout can cause problems when mount would otherwise # wait for a server that is temporarily unavailable, such as when # it's restarting. The default of waiting for mount(8) usually # results in a wait of around 3 minutes. #DEFAULT_MOUNT_WAIT=-1 ## Description: Time to wait for a response from umount(8). ## Type: integer(0:) ## Default: 12 # #DEFAULT_UMOUNT_WAIT=12 ## Description: The default protocol used by mount.nfs(8). ## Type: string ## Default: 3 # # Since we can't identify the default automatically we need to # set it in our configuration. This will only make a difference # for replicated map entries as availability probing isn't # used for single host map entries. #MOUNT_NFS_DEFAULT_PROTOCOL=3 ## Description: maps are browsable by default. ## Type: string ## Default: "yes" # DEFAULT_BROWSE_MODE="yes" ## Description: Set default log level. ## Type: string ## Default: "none" # # "none", "verbose" or "debug" # DEFAULT_LOGGING="none" ## Description: Define the default LDAP schema to use for lookups. ## Type: string ## Default: "auto.master" # # System default # DEFAULT_MAP_OBJECT_CLASS="nisMap" DEFAULT_ENTRY_OBJECT_CLASS="nisObject" DEFAULT_MAP_ATTRIBUTE="nisMapName" DEFAULT_ENTRY_ATTRIBUTE="cn" DEFAULT_VALUE_ATTRIBUTE="nisMapEntry" # # Other common LDAP nameing # #DEFAULT_MAP_OBJECT_CLASS="automountMap" #DEFAULT_ENTRY_OBJECT_CLASS="automount" #DEFAULT_MAP_ATTRIBUTE="ou" #DEFAULT_ENTRY_ATTRIBUTE="cn" #DEFAULT_VALUE_ATTRIBUTE="automountInformation" # #DEFAULT_MAP_OBJECT_CLASS="automountMap" #DEFAULT_ENTRY_OBJECT_CLASS="automount" #DEFAULT_MAP_ATTRIBUTE="automountMapName" #DEFAULT_ENTRY_ATTRIBUTE="automountKey" #DEFAULT_VALUE_ATTRIBUTE="automountInformation" ## Description: Set the default location for the SASL authentication configuration file. ## Type: string ## Default: "/etc/autofs_ldap_auth.conf" # DEFAULT_AUTH_CONF_FILE="etc/autofs_ldap_auth.conf" ## Description: Disable the use of the "AUTOFS_" prefix ## Type: string ## Default: "no" # # Disable the use of the "AUTOFS_" prefix for standard environment # variables when executing a program map. Since program maps are run # as the privileged user this opens automount(8) to potential user # privilege escalation when the program map is written in a language # that can load components from, for example, a user home directory. # #FORCE_STANDARD_PROGRAM_MAP_ENV="no" ## Description: List of LDAP server URIs. ## Type: string ## Default: "" # # Space seperated list of server URIs of the form <proto>://<server>[/] # where <proto> can be ldap or ldaps. The option can be given multiple # times. Map entries that include a server name override this option. # # This configuration option can also be used to request AutoFS lookup # SRV RRs for a domain of the form <proto>:///[<domain dn>]. Note that a # trailing "/" is not allowed when using this form. If the domain dn # is not specified the DNS domain name (if any) is used to construct # the domain dn for the SRV RR lookup. The server list returned from # an SRV RR lookup is refreshed according to the minimum ttl found in # the SRV RR records or after one hour, whichever is less. #LDAP_URI="" ## Description: Timeout value for the synchronous LDAP API calls. ## Type: integer ## Default: LDAP library default # #LDAP_TIMEOUT=-1 ## Description: Set the network LDAP response timeout (default 8). ## Type: integer ## Default: 8 # #LDAP_NETWORK_TIMEOUT=8 ## Description: Define the LDAP base dn for map dn lookup. ## Type: string ## Default: "" # # Multiple entries can be given and they are checked in the order # they appear here. #SEARCH_BASE="" ## Description: Set the map cache hash table size. ## Type: integer ## Default: 1024 # # Should be a power of 2 with a ratio roughly between 1:10 and 1:20 # for each map. MAP_HASH_TABLE_SIZE=1024 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
