the OpenAFS project yesterday issued a security advisory. In short, allowing the client to honor the setuid bit is not secure, but that's the default setting for the local cell. For details, see http://openafs.org/security/OPENAFS-SA-2007-001.txt With OpenAFS 1.4.4, the default was now changed to not honor suid even for the local cell. Applying this change to older releases (1.2.13, 1.4.1) is simple, and this is what others (debian, mandriva) have done for their errata. Alas, this is not just a bug fix: *There are sites where things will break,* Because of that, we have created a SL rpm that will fix the problem for those that can use it. This will not be put on automatically, but currently must be done by hand. We are currently testing this rpm to make sure it is working correctly. Below are the instructions for installing and testing. Installing: SL3 yum -c ftp://ftp.scientificlinux.org/linux/scientific/30rolling/testing/yum.conf install SL_afs_nosuid SL4 yum -c ftp://ftp.scientificlinux.org/linux/scientific/40rolling/testing/yum.conf install SL_afs_nosuid or yum --enablerepo=sl-testing install SL_afs_nosuid How to Test: The command "fs getcell <cell>" will tell you if you are able to do setuid or not. Example - Is vulnerable (needs to be fixed) [root@bash ~]# fs getcell fnal.gov Cell fnal.gov status: setuid allowed Example - Is not vulnerable (is fixed) [root@bash ~]# fs getcell fnal.gov Cell fnal.gov status: no setuid allowed Many thanks go to Stephan Wiesand for his work on openafs for Scientific Linux. Troy -- __________________________________________________ Troy Dawson [log in to unmask] (630)840-6468 Fermilab ComputingDivision/LCSI/CSI DSS Group __________________________________________________