I reviewed nfs-ganesha 3.0.3-0ubuntu1 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
nfs-ganesha is an user-mode file server for NFS v3, 4.0, 4.1, 4.1 pNFS, and
4.2; and for 9P from the Plan9 operating system. It provides a FUSE-compatible
File System Abstraction Layer(FSAL) to allow the file-system developers to
plug in their own storage mechanism and access it from any NFS client.
- No CVE History found.
- It has Build-Depends for some libraries. Most relevant one is kerberos
that provides integrity (krb5i) or integrity and encryption (krb5p).
- There aren't pre/post inst/rm scripts.
- It has three systemd units:
- nfs-ganesha-config.service: For configuration
- nfs-ganesha.service: The main service
- nfs-ganesha-lock.service: File locking (the main service needs it)
- It has a dbus service called org.ganesha.nfsd and the following interfaces:
- org.freedesktop.DBus.Introspectable: returns an xml data string that
describes all of the other interfaces and their methods for the
particular object path. Every object path in NFS Ganesha's server provides
this interface.
- org.freedesktop.DBus.Properties: This interface is for setting and
retrieving key/value pairs of properties. NFS Ganesha currently does not
supply this interface yet.
- org.ganesha.nfsd.admin: Used to administer the server itself.
- org.ganesha.nfsd.CBSIM: Only for development. It's a callback simulator.
- No setuid binaries found.
- Relevant binaries:
- usr/bin/ganesha.nfsd
- usr/lib/x86_64-linux-gnu/libganesha_nfsd.so.3.0
- No sudo fragments found.
- No udev rules found.
- It has ad-hoc tests (src/test) and Google G-Test framework tests (src/gtest).
- The tests seems basic. There are more realistic tests using network that
can be done by using extra tools.
- No cron job found.
- Build logs:
- There are some warnings during the build. Nothing relevant found.
- Lintian failed because of "shlib-in-multi-arch-foreign-package" which means:
"The package is marked as Multi-Arch: foreign, but it includes a shared
library in a public library directory."
- Memory management seems ok.
- File IO is intensive depending on the usage. Nothing to worry was found by
looking the code and coverity results.
- Logging seems safe.
- Use privileged functions not found.
- There is a use of cryptography when used with kerberos.
- Temporary file handling uses mkstemp but it seems safe.
- Use of networking seems fine. Addresses and inputs are sanitized before
the use.
- No use of WebKit or PolicyKit found.
- All errors found in cppcheck are "Uninitialized variable" ones. Nothing to
worry.
- Coverity found use-after-free, out-of-bound accesses and other issues. The
issues were analysed and they were not considered showstoppers to get the
project in main.
Security team ACK for promoting nfs-ganesha to main. Still pending ntirpc
analysis.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1843403
Title:
[MIR] nfs-ganesha, ntirpc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
