Hi Troy,

[moving this to -devel only to reduce noise on -users]

On Wed, 21 Mar 2007, Troy Dawson wrote:

> What if we initially created a SL_ rpm for a quick fix as we debate about the 
> best way to do this.  That way, those sites who want to, can quickly fix the 
> hole.

I think that's a good idea. It also has the advantage that the %post could
turn suid off for the running client. Hence it's better than just an 
updated client.

> I've read the security release a couple times and it says to run
>   fs setcell -cell (local cell) -nosuid

Right. And this has to be run once asap after the client has started.

The command for %post could be

   fs setcell `fs wscell |cut -d \' -f2` -nosuid

and the one for the trigger

   sed -i "/AFS_POST_INIT/ifs setcell `fs wscell |cut -d \' -f2` -nosuid" /etc/init.d/afs

modulo the quoting required to prevent the `fs wscell` from being 
evaluated on the build machine (I think it doesn't really matter whether 
it's evaluated in %post during install time or every time the init script 
runs.

> Is this something to be put into the startup script, or is there a setting in 
> the configuration file that will fix it.  I'm just looking for the simplest 
> way to get a fix to people.

I guess the AFS_POST_INIT in /etc/sysconfig/afs cannot reliably be used 
for this purpose, hence modifying the init script is probably best.

You or me?

   Stephan

-- 
Stephan Wiesand
   DESY - DV -
   Platanenallee 6
   15738 Zeuthen, Germany