8.0.4-p1 and the samba vulnerability

[jpaetzel]

Samba released a new version yesterday, which addresses a critical security vulnerability that allowed pre-auth remote code execution as root. Obviously this is a huge problem and needs to be addressed ASAP.

We are doing test builds of 8.0.4-RELEASE-p1 that contains the fixed version of samba, as well as a small handful of other fixes to 8.0.4-RELEASE now and should have an image up later today.

 

[ProtoSD]

I just noticed the updates show up in the download area. Thanks for the update!

 

[warri]

Thanks for the quick update!
I just updated via GUI, and the auto-reboot did not seem to work (for the first time). Nothing happened after a while and the HTTP interface just returned HTTP 500 and 503. Anyway, after a manual reboot via shell everything seems to work now.

Here are the last log entries:

Code:

Apr 12 03:10:53 freenas freenas[2020]: Executing: /bin/rm -rf /var/tmp/firmware
Apr 12 03:10:53 freenas freenas[2020]: Executing: /bin/mkdir -p /mnt/tank1/stuff/.freenas
Apr 12 03:10:53 freenas freenas[2020]: Executing: /usr/sbin/chown www:www /mnt/tank1/stuff/.freenas
Apr 12 03:10:53 freenas freenas[2020]: Executing: /bin/ln -s /mnt/tank1/stuff/.freenas /var/tmp/firmware
Apr 12 03:11:19 freenas freenas[2020]: Executing: /bin/rm -rf /var/tmp/firmware
Apr 12 03:11:19 freenas freenas[2020]: Executing: /bin/mkdir -p /mnt/tank1/stuff/.freenas
Apr 12 03:11:19 freenas freenas[2020]: Executing: /usr/sbin/chown www:www /mnt/tank1/stuff/.freenas
Apr 12 03:11:19 freenas freenas[2020]: Executing: /bin/ln -s /mnt/tank1/stuff/.freenas /var/tmp/firmware
Apr 12 03:11:19 freenas freenas[2020]: Popen()ing: /sbin/sha256 -q /var/tmp/firmware/firmware.xz
Apr 12 03:11:22 freenas freenas[2020]: Executing: /usr/bin/xz -t /var/tmp/firmware/firmware.xz
Apr 12 03:11:46 freenas freenas[2020]: Executing: /usr/bin/xz -cd /var/tmp/firmware/firmware.xz | sh /root/update && touch /data/need-update
Apr 12 03:15:15 freenas kernel: pid 2020 (python), uid 0: exited on signal 10
Apr 12 03:17:32 freenas freenas: 1930257+0 records in
Apr 12 03:17:32 freenas freenas: 7540+1 records out
Apr 12 03:17:32 freenas freenas: 988291584 bytes transferred in 346.141501 secs (2855166 bytes/sec)
Apr 12 03:17:33 freenas kernel: GEOM: da0s2: geometry does not match label (16h,63s != 255h,63s).
Apr 12 03:17:37 freenas freenas: ** /dev/da0s2a (NO WRITE)
Apr 12 03:17:37 freenas freenas: ** Last Mounted on /build/home/jpaetzel/fn_build/8.0.4/obj.amd64/_.mnt
Apr 12 03:17:37 freenas freenas: ** Phase 1 - Check Blocks and Sizes
Apr 12 03:17:37 freenas freenas: ** Phase 2 - Check Pathnames
Apr 12 03:17:37 freenas freenas: ** Phase 3 - Check Connectivity
Apr 12 03:17:37 freenas freenas: ** Phase 4 - Check Reference Counts
Apr 12 03:17:37 freenas freenas: ** Phase 5 - Check Cyl groups
Apr 12 03:17:37 freenas freenas: 24349 files, 775865 used, 1121941 free (829 frags, 140139 blocks, 0.0% fragmentation)
Apr 12 03:17:37 freenas freenas: tar: Removing leading '/' from member names
Apr 12 03:17:37 freenas freenas: x boot/modules/
Apr 12 03:17:39 freenas mountd[2450]: can't delete exports for /mnt/tmp.YG2VNG: Invalid argument 
Apr 12 03:17:41 freenas freenas: active set on da0s2

 

[ProtoSD]

I also just finished my upgrade using the GUI from version 8.0.4 x64 and didn't have any problems.

 

[Daisuke]

Hmm, I upgraded to 8.0.4-p1 and the CIFS performance is now cut in half. I can read and write at about 50MB/sec, compared to the previous stats posted into my build thread. I re-installed Windows 7 Ultimate, just to be sure there is nothing special related to it.

When I ran a disk test as Administrator, the results were OK for my RAID1 array:

Code:

> winsat disk -drive c
> Disk  Sequential 64.0 Read                   96.62 MB/s         6.5
> Disk  Random 16.0 Read                       2.47 MB/s          4.4
> Responsiveness: Average IO Rate              2.12 ms/IO         6.9
> Responsiveness: Grouped IOs                  8.34 units         7.4
> Responsiveness: Long IOs                     5.59 units         7.7
> Responsiveness: Overall                      46.64 units        7.1
> Responsiveness: PenaltyFactor                0.0
> Disk  Sequential 64.0 Write                  113.21 MB/s        6.8
> Average Read Time with Sequential Writes     6.977 ms           5.3
> Latency: 95th Percentile                     32.720 ms          3.0
> Latency: Maximum                             112.231 ms         7.6
> Average Read Time with Random Writes         13.346 ms          3.7
> Total Run Time 00:01:39.50

 

[jpaetzel]

FreeNAS-8.0.4-RELEASE-p1 is now available for immediate download from:

https://sourceforge.net/projects/freenas/files/FreeNAS-8.0.4/

FreeNAS-8.0.4-RELEASE-p1 contains Samba 3.6.4, which addresses the
critical security flaw in CVE-2012-1182.

This update is critical for anyone using CIFS.

A small handful of other fixes since 8.0.4-RELEASE have been included
in this release.

Release Notes for FreeNAS 8.0.4-RELEASE-p1

*** IMPORTANT ***

- The image size increased in 8.0.1-BETA3. The new size requires a 2 GB
storage device. The GUI upgrade can be used to upgrade a system from
BETA3, BETA4, or RC1 but upgrades from earlier releases can only be
done from the CD. The other option is to save the config, reinstall
the new version, then restore the config.
- FreeBSD can be really touchy with hardware. Please be sure to update
your BIOS/BMC firmware when upgrading / installing FreeNAS if you run
into OS hang issues. There have been cases identified where a BIOS
upgrade has fixed driver hangs, and/or other issues with FreeNAS; one
such example was with an Intel 82578DC motherboard, as noted in the
FreeNAS 8 forum thread titled "8.0.3-RELEASE coming soon..":
http://bit.ly/rq78Q3 , post # 70-88. Again, please only do this if you
experience booting / runtime issues, as some vendors don't test
FreeBSD interoperability as much as others between major firmware
releases.
- Previous builds were branded as i386/amd64 (32-bit and 64-bit
respectively). 8.0.3-RC1+ rebranded the architectures as x86 and x64,
respectively.
- 8.0.1 and 8.0.2 images advertised CIFS shares to Macs by default but
8.0.3 and later images don't advertise CIFS shares by default. If you
want to advertise CIFS shares in 8.0.3 and later, be sure to turn on
"Zeroconf" support in the CIFS global settings.
- Builds prior to 8.0.3-RELEASE with 'CIFS' didn't actually have AIO
(asynchronous I/O) enabled. So, if you experience performance
degradation after upgrading from prior versions of FreeNAS to
8.0.3-RELEASE or newer, turn off AIO or tune the AIO size from '1' to
something more reasonable (the new default in 8.0.3-RELEASE-p1 is 4096
or 4kB).

Changes since 8.0.4-RELEASE:

Enhancements
========================

GUI
------------------------

1. Selecting reboot now causes the screen to turn red during the
confirmation dialog, adding emphasis to the fact that this operation
will affect availability.

Bugfixes
========================

OS/Third party
------------------------

1. Samba has been upgraded to 3.6.4 to address CVE-2012-1182 which is a
critical vulnerability. All FreeNAS users who are using CIFS are
urged to upgrade.

2. Create the ldap and nss secret files when LDAP integration is
enabled.

3. Ensure the configuration database is not world readable.

4. Remove failsafe from the PAM group file, this prevents a situation
where the wheel group being empty allowed any user to su to root.


Filename:
FreeNAS-8.0.4-RELEASE-p1-x64.GUI_Upgrade.xz
SHA256 Hash:
ba909e18a0f1cc64b6be0c5f089d9b89b684138f1b621024e91a47532426d662

Filename:
FreeNAS-8.0.4-RELEASE-p1-x64.img.xz
SHA256 Hash:
8e4eec14170d8c0314e51abb0474c7447ec967189af0bcd5e41ed61bbdba51b9

Filename:
FreeNAS-8.0.4-RELEASE-p1-x64.iso
SHA256 Hash:
130b5d021b0b67e01039cbf8adcbe02d67cf6b01040cf7a084445c674db0ea29

Filename:
FreeNAS-8.0.4-RELEASE-p1-x86.GUI_Upgrade.xz
SHA256 Hash:
749ebde664913deeefc077efa47f30195b5e3a68ea36da3085e01832039a8ade

Filename:
FreeNAS-8.0.4-RELEASE-p1-x86.img.xz
SHA256 Hash:
662a2de3f423ddd0f6a8a9792fc5afc0eb2ccb37ac00d1bfef3d03f163c20dcc

Filename:
FreeNAS-8.0.4-RELEASE-p1-x86.iso
SHA256 Hash:
d7a737ab61994b5a46642e77891b40b5e54815a2a4e0b27f1dc943d06fd61d2b

 

[Gnome]

Hmm, I upgraded to 8.0.4-p1 and the CIFS performance is now cut in half. I can read and write at about 50MB/sec, compared to the previous stats posted into my build thread. I re-installed Windows 7 Ultimate, just to be sure there is nothing special related to it.

Are you sure? Have you tried downgrading and testing by doing the exact same copy operation for before/after comparison?

 

[sumsum]

I have nearly the same setup as TECK.
After the upgrade to 8.0.4-RELEASE-p1 I have the same performance as before.
Write : ~76MB/s
Read : ~110MB/s

cheers
tom

 

[William Grzybowski]

I think he upgraded prior to 8.0.3...

Turning AIO on/off might help

 

[Daisuke]

I think he upgraded prior to 8.0.3...

Turning AIO on/off might help

Yes, from 8.0.2. :)
I tried with both AIO On or Off, I get a slight increase in speed but we are talking KB.
Also, I cannot login as root anymore:

Code:

$ su -
su: Sorry

 

[Simon00]

I've also had some trouble upgrading as well, may possibly due to my hardware combo or a buggy upgrade process. But I simply export my ZFS volume, and swap the bootable SD card with the new version. Re-import volume and I usually just re-enter the settings manually just to be sure. I have low spec. hardware so leave AIO off.

 

[bman]

FreeNAS newbie here. I successfully built a unit using an old PC. I completed the original installation with a monitor and keyboard attached. I have since removed and run the system headless. I just burned the CD with 8.04p1. My question is, do I need to re-attach a monitor and keyboard to upgrade? OR can you tell me how I would complete this with a headless system. Any help is appreciated.

 

[warri]

That depends on your current version. If you are upgrading from pre-8.0.1-BETA3 you need to upgrade via CD due to the increased image size.
Newer versions should be upgradable via the HTTP GUI, just grab the correct image (FreeNAS-8.0.4-RELEASE-p1-x86.GUI_Upgrade.xz or x64 depending on your architecture), go to Settings - Advanced - Firmware Update and follow the instructions.

 

[nepenthe]

Could not su to root from SSH login after upgrade

Apparently after this upgrade from 8.04 I was unable to su to root when logging in via SSH. After further research I found there were no members of the wheel group. I re-added my user account into the group and all was well. Just thought I should bring this up, anyone else experience anything like that? Should I submit a bug report perhaps?

 

[William Grzybowski]

Apparently after this upgrade from 8.04 I was unable to su to root when logging in via SSH. After further research I found there were no members of the wheel group. I re-added my user account into the group and all was well. Just thought I should bring this up, anyone else experience anything like that? Should I submit a bug report perhaps?

No, it is a bugix, it is in release notes.
Users should not be allowed to su if not in wheel group.

 

[nepenthe]

No, it is a bugix, it is in release notes.
Users should not be allowed to su if not in wheel group.

My bad. I just quickly read that and figured users were previously being automatically added to the Wheel group upon creation, instead of the Wheel group not mattering.

 

[bman]

Thanks warri. I updated from the GUI. Very easy.

 

[Daisuke]

No, it is a bugix, it is in release notes.
Users should not be allowed to su if not in wheel group.

I never heard that before and I use UNIX for a long time. Is this specific to FreeBSD?
Adding a regular user to wheel group presents security risks, as this group has special permissions. I would rather have an option assigned to a specific group. For example, you tick an option that says "Members of this group are superusers", that would be more appropriate.

I'm connecting through SSH, but I see this note:
"Remove failsafe from the PAM group file, this prevents a situation where the wheel group being empty allowed any user to su to root."
The normal behavior in every Unix OS I know is to allow any user to su, isn't it?

 

[Daisuke]

I have nearly the same setup as TECK.
After the upgrade to 8.0.4-RELEASE-p1 I have the same performance as before.
Write : ~76MB/s
Read : ~110MB/s

cheers
tom

You upgraded from 8.0.3, right? Myself and protosd both upgraded from 8.0.2 and saw an important loss of data speed transfers.

 

[sumsum]

You upgraded from 8.0.3, right? Myself and protosd both upgraded from 8.0.2 and saw an important loss of data speed transfers.

I upgraded from 8.0.4 Release to p1