>From the 'truth is stranger than fiction' department...
As many of you know, some time ago a security bug was found in most of the
2.2.x series linux kernels, up to and including 2.2.15, which allowed any user
on the system to become root. Exploits were published, and the linux kernel
folks got together and put out kernel 2.2.16, which protected against these
attacks.
(For a sample vulnerability announcement, see
http://www.sendmail.org/sendmail.8.10.1.LINUX-SECURITY.txt
A copy of the 2.2.16 announcement from the kernel folks is at
http://www.lwn.net/2000/0608/a/2.2.16-security.php3 )
Surprisingly, there has still been no announcement from Transarc regarding
support for the 2.2.16 kernel, even though internally it has been known for
some time that the 2.2.14 kernel load modules appear to work without
modification with the 2.2.16 kernel. Apparently, Transarc/IBM doesn't
consider it important that _every_ supported afs linux client in the world
is exposed to a trivial root compromise.
But there is a larger issue. About two days after Red Hat released the 2.2.16
kernel RPM, I requested permission to put a load module I had built from
source into the contrib area, not knowing that the 2.2.14 module would work.
After weeks of feet dragging and no answers, I finally had a call returned
from Gary Gerchak at IBM, who flat out refused to consider such a request, now
or in the future.
I think it would be _exteremely_ valuable to this community to have early
access to afs for new kernels before Transarc/IBM goes through their testing
cycle. As I said to Gary, I think that their testing has value, but to
actively supress any type of early access is flat out wrong. To say that a
user site can't contrib an (unsupported) enhancement to an existing product is
wrong for the community. It's representative of a 50-year-old computer
industry mindset (read: IBM), and I expect much more of a company involved in
a core technology at our site. Also, I think that the idea that IBM knows
absolutely that a piece of technology is or is not in the best interest of the
afs community is more than a little egotistical.
If you want to be spoon-fed whatever IBM wants to give you, and kept in the
dark about everything else, do nothing. If, on the other hand, you want to
see useful tools shared in the afs community, let people know. Get in touch
with your support people, get in touch with Kelly Chambers, and get in touch
with Gary. Gary's email is [EMAIL PROTECTED], and his phone number is
512-838-2715. If you send him an email, cc: it here so we all can see.
Thanks.
--
Dave Thompson <[EMAIL PROTECTED]>
Associate Researcher Department of Computer Science
University of Wisconsin-Madison http://www.cs.wisc.edu/~thomas
1210 West Dayton Street Phone: (608)-262-1017
Madison, WI 53706-1685 Fax: (608)-262-6626
--
