the OpenAFS project yesterday issued a security advisory. In short,
allowing the client to honor the setuid bit is not secure, but that's
the default setting for the local cell.
For details, see
http://openafs.org/security/OPENAFS-SA-2007-001.txt
With OpenAFS 1.4.4, the default was now changed to not honor suid even
for the local cell. Applying this change to older releases (1.2.13,
1.4.1) is simple, and this is what others (debian, mandriva) have done
for their errata.
Alas, this is not just a bug fix:
*There are sites where things will break,*
Because of that, we have created a SL rpm that will fix the problem for
those that can use it. This will not be put on automatically, but
currently must be done by hand.
We are currently testing this rpm to make sure it is working correctly.
Below are the instructions for installing and testing.
Installing:
SL3
yum -c
ftp://ftp.scientificlinux.org/linux/scientific/30rolling/testing/yum.conf
install SL_afs_nosuid
SL4
yum -c
ftp://ftp.scientificlinux.org/linux/scientific/40rolling/testing/yum.conf
install SL_afs_nosuid
or
yum --enablerepo=sl-testing install SL_afs_nosuid
How to Test:
The command "fs getcell <cell>" will tell you if you are able to do
setuid or not.
Example - Is vulnerable (needs to be fixed)
[EMAIL PROTECTED] ~]# fs getcell fnal.gov
Cell fnal.gov status: setuid allowed
Example - Is not vulnerable (is fixed)
[EMAIL PROTECTED] ~]# fs getcell fnal.gov
Cell fnal.gov status: no setuid allowed
Many thanks go to Stephan Wiesand for his work on openafs for Scientific
Linux.
Troy
--
__________________________________________________
Troy Dawson [EMAIL PROTECTED] (630)840-6468
Fermilab ComputingDivision/LCSI/CSI DSS Group
__________________________________________________
