Subject: | |
From: | |
Reply To: | |
Date: | Wed, 21 Mar 2007 09:05:19 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Stephan Wiesand wrote:
> All,
>
> the OpenAFS project yesterday issued a security advisory. In short,
> allowing the client to honor the setuid bit is not secure, but that's
> the default setting for the local cell.
>
> For details, see
>
> http://openafs.org/security/OPENAFS-SA-2007-001.txt
>
> The issue is also explained in debian's advisory, maybe a bit simpler:
>
> http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00026.html
>
>
> With OpenAFS 1.4.4, the default was now changed to not honor suid even
> for the local cell. Applying this change to older releases (1.2.13,
> 1.4.1) is simple, and this is what others (debian, mandriva) have done
> for their errata.
>
> Alas, this is not just a bug fix: There are sites where things will break,
> and I wonder whether (and if, how) such updates should be pushed out for
> SL3&4, especially since the workaround is quite simple.
>
> Any opinions?
>
> Stephan
>
Stephan,
What if we initially created a SL_ rpm for a quick fix as we debate
about the best way to do this. That way, those sites who want to, can
quickly fix the hole.
I've read the security release a couple times and it says to run
fs setcell -cell (local cell) -nosuid
Is this something to be put into the startup script, or is there a
setting in the configuration file that will fix it. I'm just looking
for the simplest way to get a fix to people.
Troy
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/LCSI/CSI DSS Group
__________________________________________________
|
|
|