Subject: | |
From: | |
Reply To: | |
Date: | Wed, 21 Mar 2007 15:34:04 +0100 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
Hi Troy,
[moving this to -devel only to reduce noise on -users]
On Wed, 21 Mar 2007, Troy Dawson wrote:
> What if we initially created a SL_ rpm for a quick fix as we debate about the
> best way to do this. That way, those sites who want to, can quickly fix the
> hole.
I think that's a good idea. It also has the advantage that the %post could
turn suid off for the running client. Hence it's better than just an
updated client.
> I've read the security release a couple times and it says to run
> fs setcell -cell (local cell) -nosuid
Right. And this has to be run once asap after the client has started.
The command for %post could be
fs setcell `fs wscell |cut -d \' -f2` -nosuid
and the one for the trigger
sed -i "/AFS_POST_INIT/ifs setcell `fs wscell |cut -d \' -f2` -nosuid" /etc/init.d/afs
modulo the quoting required to prevent the `fs wscell` from being
evaluated on the build machine (I think it doesn't really matter whether
it's evaluated in %post during install time or every time the init script
runs.
> Is this something to be put into the startup script, or is there a setting in
> the configuration file that will fix it. I'm just looking for the simplest
> way to get a fix to people.
I guess the AFS_POST_INIT in /etc/sysconfig/afs cannot reliably be used
for this purpose, hence modifying the init script is probably best.
You or me?
Stephan
--
Stephan Wiesand
DESY - DV -
Platanenallee 6
15738 Zeuthen, Germany
|
|
|