Your message dated Mon, 19 Mar 2007 21:17:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#414911: fixed in openafs 1.4.2-6
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: openafs-modules-source
Version: 1.4.2-2
Severity: normal
Hello!
I've noticed strange 'permission denied' errors when accessing files on
_non-AFS_ filesystem[s]. These errors are readily reproducible:
$ id -u
1000
$ id -G
2000 33847 37992 24 25 29 44 104 111 113 1000 5000 33847 37992
[33847 and 37992 are GIDs added by cache manager]
$ cd /tmp
[/tmp is tmpfs, but the xfs and ext3 behave in the same way]
$ mkdir test
$ chgrp 24 test
[Please note: 24 is the first GID after those added by cache manager]
chgrp: changing group of `test': Operation not permitted
$ chgrp 25 test
[all other GIDs are OK, as it should be]
Now, let's have more fun with it:
$ chmod 770 test; ksu -qe /bin/chown 0:24 test
$ ls -lnd test
drwxrwx--- 2 0 24 40 Nov 8 19:37 test
$ cd test
bash: cd: test: Permission denied
The same happens not only for directories, but also for ordinary files,
block and charater devices, etc. So, it looks like permission checks
ignore _the first GID after ones added by cache manager_ (24 in my example).
If I login on other console using *NIX password (as opposed to Kerberos
one), so my processes have only ordinary *NIX GIDs:
$ id -G
2000 24 25 29 44 104 111 113 1000 5000
$ cd /tmp/test
[OK, as it should be]
$ su -c 'chown 1000:2000 .'
[typed in root password]
$ ls -lnd .
drwxrwx--- 2 1000 2000 40 Nov 8 19:37 .
$ chgrp 24 .
[OK, as it should be]
The kernel I use is patched with grsecurity (http://www.grsecurity.net),
but the vanilla kernel is affected too. Note also that the bug seems to
be present only on SMP systems.
Just in a case, my kernel config is available at
http://theor.jinr.ru/~varg/misc/config-2.6.17.11-grsec-p4-smp.gz
Best regards,
Alexei
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.17.11-grsec-p4-smp
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Versions of packages openafs-modules-source depends on:
ii bison 1:2.3.dfsg-4 A parser generator that is compati
ii debhelper 5.0.40 helper programs for debian/rules
ii flex 2.5.33-10 A fast lexical analyzer generator.
hi kernel-package 10.064 A utility for building Linux kerne
ii module-assistant 0.10.7 tool to make module package creati
openafs-modules-source recommends no packages.
-- no debconf information
--
All science is either physics or stamp collecting.
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: openafs
Source-Version: 1.4.2-6
We believe that the bug you reported is fixed in the latest version of
openafs, which is due to be installed in the Debian FTP archive:
libopenafs-dev_1.4.2-6_i386.deb
to pool/main/o/openafs/libopenafs-dev_1.4.2-6_i386.deb
libpam-openafs-kaserver_1.4.2-6_i386.deb
to pool/main/o/openafs/libpam-openafs-kaserver_1.4.2-6_i386.deb
openafs-client_1.4.2-6_i386.deb
to pool/main/o/openafs/openafs-client_1.4.2-6_i386.deb
openafs-dbg_1.4.2-6_i386.deb
to pool/main/o/openafs/openafs-dbg_1.4.2-6_i386.deb
openafs-dbserver_1.4.2-6_i386.deb
to pool/main/o/openafs/openafs-dbserver_1.4.2-6_i386.deb
openafs-doc_1.4.2-6_all.deb
to pool/main/o/openafs/openafs-doc_1.4.2-6_all.deb
openafs-fileserver_1.4.2-6_i386.deb
to pool/main/o/openafs/openafs-fileserver_1.4.2-6_i386.deb
openafs-kpasswd_1.4.2-6_i386.deb
to pool/main/o/openafs/openafs-kpasswd_1.4.2-6_i386.deb
openafs-krb5_1.4.2-6_i386.deb
to pool/main/o/openafs/openafs-krb5_1.4.2-6_i386.deb
openafs-modules-source_1.4.2-6_all.deb
to pool/main/o/openafs/openafs-modules-source_1.4.2-6_all.deb
openafs_1.4.2-6.diff.gz
to pool/main/o/openafs/openafs_1.4.2-6.diff.gz
openafs_1.4.2-6.dsc
to pool/main/o/openafs/openafs_1.4.2-6.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <[EMAIL PROTECTED]> (supplier of updated openafs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 14 Mar 2007 18:37:12 -0700
Source: openafs
Binary: openafs-krb5 openafs-client libopenafs-dev openafs-modules-source
openafs-kpasswd libpam-openafs-kaserver openafs-dbserver openafs-dbg
openafs-fileserver openafs-doc
Architecture: source i386 all
Version: 1.4.2-6
Distribution: unstable
Urgency: medium
Maintainer: Sam Hartman <[EMAIL PROTECTED]>
Changed-By: Russ Allbery <[EMAIL PROTECTED]>
Description:
libopenafs-dev - AFS distributed filesystem development libraries
libpam-openafs-kaserver - AFS distributed filesystem kaserver PAM module
openafs-client - AFS distributed filesystem client support
openafs-dbg - AFS distributed filesystem debugging information
openafs-dbserver - AFS distributed filesystem database server
openafs-doc - AFS distributed filesystem documentation
openafs-fileserver - AFS distributed filesystem file server
openafs-kpasswd - AFS distributed filesystem old password changing
openafs-krb5 - AFS distributed filesystem Kerberos 5 integration
openafs-modules-source - AFS distributed filesystem kernel module source
Closes: 409184 413701 414800 414911 415294
Changes:
openafs (1.4.2-6) unstable; urgency=medium
.
* SECURITY: Apply upstream patch to disable setuid status on all cells
by default. Prior versions of AFS defaulted to honoring setuid bits
in the local cell, but since unauthenticated file access in AFS is
unencrypted, an attacker could forge packets from an AFS file server
to synthesize a setuid binary in AFS.
* Apply upstream fix to use a single high-numbered group for the PAG on
2.6 kernels and sort the group properly. Fixes AFS-caused group
ordering problems that could lead the kernel to ignore some group
membership for users. (Closes: #414911)
* Apply upstream fix for segfaults in pts rename. (Closes: #409184)
* Apply upstream fix to show reasonable free space numbers for AFS in
df. Without this fix, some programs which use df to check free space
may think that directories in AFS are full and prevent the user from
attempting to write files. (Closes: #415294)
* Translation updates:
- Dutch, thanks cobaco. (Closes: #413701)
- Portuguese, thanks Miguel Figueiredo. (Closes: #414800)
Files:
afaf685c99af69128748b18bc90863f3 869 net optional openafs_1.4.2-6.dsc
c708286273486c3f0138b8c1f9705d92 116782 net optional openafs_1.4.2-6.diff.gz
129d1607ecc92181da539b7c38ffb18a 2939840 doc optional
openafs-doc_1.4.2-6_all.deb
5f7b30c9dd3c302160d93c07ed467717 5624914 net extra
openafs-modules-source_1.4.2-6_all.deb
2473d4c92079f2380f678ada85cb44b3 2856500 net optional
openafs-client_1.4.2-6_i386.deb
176ded8e431553f240a210c3ad3ed1ac 271396 net extra
openafs-kpasswd_1.4.2-6_i386.deb
22d6d9e978ce0e70f2b09b4c85473fb1 1004102 net optional
openafs-fileserver_1.4.2-6_i386.deb
f5ba4e0ae7666931d9441578836a9df6 541686 net optional
openafs-dbserver_1.4.2-6_i386.deb
3b5f478dfcf84403dd52fa39bffa8ff9 159592 net optional
openafs-krb5_1.4.2-6_i386.deb
5ac66d9c9be9dd554e6f43f0f5b5f0cd 1872042 libdevel extra
libopenafs-dev_1.4.2-6_i386.deb
e8eb2cd941ab4560f173f058c1ec5ad8 412590 net extra
libpam-openafs-kaserver_1.4.2-6_i386.deb
7c8f15fdcb1cab16516a9521d1b0db75 1859742 libdevel extra
openafs-dbg_1.4.2-6_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF/ukc+YXjQAr8dHYRAktUAJsEpDkVCfbLq06ItoSvE0L6Lr5TkwCcC9+i
UB6Vdh7GTJlwb4JE6RJ8jHU=
=r8Xm
-----END PGP SIGNATURE-----
--- End Message ---
