All, the OpenAFS project yesterday issued a security advisory. In short, allowing the client to honor the setuid bit is not secure, but that's the default setting for the local cell. For details, see http://openafs.org/security/OPENAFS-SA-2007-001.txt The issue is also explained in debian's advisory, maybe a bit simpler: http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00026.html With OpenAFS 1.4.4, the default was now changed to not honor suid even for the local cell. Applying this change to older releases (1.2.13, 1.4.1) is simple, and this is what others (debian, mandriva) have done for their errata. Alas, this is not just a bug fix: There are sites where things will break, and I wonder whether (and if, how) such updates should be pushed out for SL3&4, especially since the workaround is quite simple. Any opinions? Stephan -- Stephan Wiesand DESY - DV - Platanenallee 6 15738 Zeuthen, Germany