[Bug 1843403] Re: [MIR] nfs-ganesha, ntirpc

Paulo Flabiano Smorigo 1843403 at bugs.launchpad.net
Fri Feb 14 20:24:50 UTC 2020 

I reviewed nfs-ganesha 3.0.3-0ubuntu1 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

nfs-ganesha is an user-mode file server for NFS v3, 4.0, 4.1, 4.1 pNFS, and
4.2; and for 9P from the Plan9 operating system. It provides a FUSE-compatible
File System Abstraction Layer(FSAL) to allow the file-system developers to
plug in their own storage mechanism and access it from any NFS client.

- No CVE History found.
- It has Build-Depends for some libraries. Most relevant one is kerberos
  that provides integrity (krb5i) or integrity and encryption (krb5p).
- There aren't pre/post inst/rm scripts.
- It has three systemd units:
  - nfs-ganesha-config.service: For configuration
  - nfs-ganesha.service: The main service
  - nfs-ganesha-lock.service: File locking (the main service needs it)
- It has a dbus service called org.ganesha.nfsd and the following interfaces:
  - org.freedesktop.DBus.Introspectable: returns an xml data string that
    describes all of the other interfaces and their methods for the
    particular object path. Every object path in NFS Ganesha's server provides
    this interface.
  - org.freedesktop.DBus.Properties: This interface is for setting and
    retrieving key/value pairs of properties. NFS Ganesha currently does not
    supply this interface yet.
  - org.ganesha.nfsd.admin: Used to administer the server itself.
  - org.ganesha.nfsd.CBSIM: Only for development. It's a callback simulator.
- No setuid binaries found.
- Relevant binaries:
  - usr/bin/ganesha.nfsd
  - usr/lib/x86_64-linux-gnu/libganesha_nfsd.so.3.0
- No sudo fragments found.
- No udev rules found.
- It has ad-hoc tests (src/test) and Google G-Test framework tests (src/gtest).
  - The tests seems basic. There are more realistic tests using network that
    can be done by using extra tools.
- No cron job found.
- Build logs:
  - There are some warnings during the build. Nothing relevant found.
  - Lintian failed because of "shlib-in-multi-arch-foreign-package" which means:
    "The package is marked as Multi-Arch: foreign, but it includes a shared
    library in a public library directory."
- Memory management seems ok.
- File IO is intensive depending on the usage. Nothing to worry was found by
  looking the code and coverity results.
- Logging seems safe.
- Use privileged functions not found.
- There is a use of cryptography when used with kerberos.
- Temporary file handling uses mkstemp but it seems safe.
- Use of networking seems fine. Addresses and inputs are sanitized before
  the use.
- No use of WebKit or PolicyKit found.

- All errors found in cppcheck are "Uninitialized variable" ones. Nothing to
  worry.

- Coverity found use-after-free, out-of-bound accesses and other issues. The
  issues were analysed and they were not considered showstoppers to get the
  project in main.

Security team ACK for promoting nfs-ganesha to main. Still pending ntirpc
analysis.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nfs-ganesha in Ubuntu.
https://bugs.launchpad.net/bugs/1843403

Title:
  [MIR] nfs-ganesha, ntirpc

Status in nfs-ganesha package in Ubuntu:
  New
Status in ntirpc package in Ubuntu:
  New

Bug description:
  == nfs-ganesha ==

  [Availability]
  In universe

  [Rationale]
  Ganesha provides the NFS header/proxy for use of CephFS shared file systems as part of OpenStack Manila

  [Security]
  No security history:

  https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=nfs-ganesha

  [Quality assurance]
  Test suite currently disabled in package build.
  No autopkgtest's.

  [Dependencies]
  daemon in universe - any alternatives?

  [Standards compliance]
  OK - modern debhelper style package (compat level 9).

  [Maintenance]
  maintained in Debian
  ubuntu-openstack for Ubuntu

  [Background information]
  Specifically nfs-ganesha-ceph will be seeded for support

  == ntirpc ==

  [Availability]
  In universe

  [Rationale]
  Dependency for nfs-ganesha

  [Security]
  One CVE, much older version:

  https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ntirpc

  [Quality assurance]
  Test suite currently disabled in package build.
  No autopkgtest's.

  [Dependencies]
  all in main or detailed on this MIR

  [Standards compliance]
  OK - modern debhelper style package (compat level 9).

  [Maintenance]
  maintained in Debian
  ubuntu-openstack for Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-ganesha/+bug/1843403/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list