Stephan Wiesand wrote: > All, > > the OpenAFS project yesterday issued a security advisory. In short, > allowing the client to honor the setuid bit is not secure, but that's > the default setting for the local cell. > > For details, see > > http://openafs.org/security/OPENAFS-SA-2007-001.txt > > The issue is also explained in debian's advisory, maybe a bit simpler: > > http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00026.html > > > With OpenAFS 1.4.4, the default was now changed to not honor suid even > for the local cell. Applying this change to older releases (1.2.13, > 1.4.1) is simple, and this is what others (debian, mandriva) have done > for their errata. > > Alas, this is not just a bug fix: There are sites where things will break, > and I wonder whether (and if, how) such updates should be pushed out for > SL3&4, especially since the workaround is quite simple. > > Any opinions? > > Stephan > Stephan, What if we initially created a SL_ rpm for a quick fix as we debate about the best way to do this. That way, those sites who want to, can quickly fix the hole. I've read the security release a couple times and it says to run fs setcell -cell (local cell) -nosuid Is this something to be put into the startup script, or is there a setting in the configuration file that will fix it. I'm just looking for the simplest way to get a fix to people. Troy -- __________________________________________________ Troy Dawson [log in to unmask] (630)840-6468 Fermilab ComputingDivision/LCSI/CSI DSS Group __________________________________________________