Stephan Wiesand wrote:
> All,
> 
> the OpenAFS project yesterday issued a security advisory. In short,
> allowing the client to honor the setuid bit is not secure, but that's 
> the default setting for the local cell.
> 
> For details, see
> 
> http://openafs.org/security/OPENAFS-SA-2007-001.txt
> 
> The issue is also explained in debian's advisory, maybe a bit simpler:
> 
> http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00026.html 
> 
> 
> With OpenAFS 1.4.4, the default was now changed to not honor suid even 
> for the local cell. Applying this change to older releases (1.2.13, 
> 1.4.1) is simple, and this is what others (debian, mandriva) have done 
> for their errata.
> 
> Alas, this is not just a bug fix: There are sites where things will break,
> and I wonder whether (and if, how) such updates should be pushed out for 
> SL3&4, especially since the workaround is quite simple.
> 
> Any opinions?
> 
>   Stephan
> 

Stephan,
What if we initially created a SL_ rpm for a quick fix as we debate 
about the best way to do this.  That way, those sites who want to, can 
quickly fix the hole.

I've read the security release a couple times and it says to run
    fs setcell -cell (local cell) -nosuid

Is this something to be put into the startup script, or is there a 
setting in the configuration file that will fix it.  I'm just looking 
for the simplest way to get a fix to people.

Troy
-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LCSI/CSI DSS Group
__________________________________________________