[OpenAFS] openafs-1.4.2 RHEL RPM package installs nonempty SuidCells and mangles CellServDB

Thu, 16 Nov 2006 01:13:14 -0800 

Hello!
The RHEL (RHEL 3 and RHEL 4) openafs package installs a SuidCells.dist file that contains the following entrys: 

athena.mit.edu
net.mit.edu
sipb.mit.edu
dev.mit.edu
ops.mit.edu

This file is merged during client startup with a SuidCells.local:

echo -n $"Updating SuidCells: "
cat /usr/vice/etc/SuidCells.local /usr/vice/etc/SuidCells.dist > \
                /usr/vice/etc/SuidCells
chmod 644 /usr/vice/etc/SuidCells


IMHO this is a security issue! This should not *never* happen, because 
it poses a threat to unexperienced users and during updates of the client.


The same mechanism is applied to CellServDB!


We maintain our CellServDB ourself for several reasons. This startup 
script mangles our configuration and interferes with our scripts. Even 
if I remove CellServDB.dist and CellServDB.local (which is empty), my 
CellServDB (maintained by cfengine, and on some older systems by a 
cronjob) is overwritten:


[EMAIL PROTECTED] etc]# pwd
/usr/vice/etc
[EMAIL PROTECTED] etc]# ls -l
insgesamt 160
-rwxr-xr-x  1 root root 121564 14. Okt 16:11 afsd
-rw-r--r--  1 root root     28 15. Nov 17:26 cacheinfo
-rw-r--r--  1 root root  26422 16. Nov 09:47 CellServDB
-rw-r--r--  1 root root      0 16. Nov 09:47 SuidCells
-rw-r--r--  1 root root     18 15. Nov 17:26 ThisCell
[EMAIL PROTECTED] etc]# service openafs-client start

Updating CellServDB: cat: /usr/vice/etc/CellServDB.local: Datei oder 
Verzeichnis nicht gefunden

cat: /usr/vice/etc/CellServDB.dist: Datei oder Verzeichnis nicht gefunden


Updating SuidCells: cat: /usr/vice/etc/SuidCells.local: Datei oder 
Verzeichnis nicht gefunden

cat: /usr/vice/etc/SuidCells.dist: Datei oder Verzeichnis nicht gefunden

Starting openafs-client: afsd: All AFS daemons started.
afsd: Can't mount AFS on /afs(22)

[EMAIL PROTECTED] etc]# ls -al
insgesamt 144
drwxr-xr-x  2 root root   4096 16. Nov 09:45 .
drwxr-xr-x  4 root root   4096 14. Okt 16:09 ..
-rwxr-xr-x  1 root root 121564 14. Okt 16:11 afsd
-rw-r--r--  1 root root     28 15. Nov 17:26 cacheinfo
-rw-r--r--  1 root root      0 16. Nov 09:48 CellServDB
-rw-r--r--  1 root root      0 16. Nov 09:48 SuidCells
-rw-r--r--  1 root root     18 15. Nov 17:26 ThisCell
[EMAIL PROTECTED] etc]#

There is *no* error handling in this part of the script!


The script should test for existing configuration files. Modifying 
CellServDB and SuidCells should be a configuration option in 
/etc/default/openafs that is switched off by default.



Regards,
Berthold Cogel
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info






















					Reply via email to