Hi Troy, [moving this to -devel only to reduce noise on -users] On Wed, 21 Mar 2007, Troy Dawson wrote: > What if we initially created a SL_ rpm for a quick fix as we debate about the > best way to do this. That way, those sites who want to, can quickly fix the > hole. I think that's a good idea. It also has the advantage that the %post could turn suid off for the running client. Hence it's better than just an updated client. > I've read the security release a couple times and it says to run > fs setcell -cell (local cell) -nosuid Right. And this has to be run once asap after the client has started. The command for %post could be fs setcell `fs wscell |cut -d \' -f2` -nosuid and the one for the trigger sed -i "/AFS_POST_INIT/ifs setcell `fs wscell |cut -d \' -f2` -nosuid" /etc/init.d/afs modulo the quoting required to prevent the `fs wscell` from being evaluated on the build machine (I think it doesn't really matter whether it's evaluated in %post during install time or every time the init script runs. > Is this something to be put into the startup script, or is there a setting in > the configuration file that will fix it. I'm just looking for the simplest > way to get a fix to people. I guess the AFS_POST_INIT in /etc/sysconfig/afs cannot reliably be used for this purpose, hence modifying the init script is probably best. You or me? Stephan -- Stephan Wiesand DESY - DV - Platanenallee 6 15738 Zeuthen, Germany