[OpenAFS] openafs-1.4.2 RHEL RPM package installs nonempty SuidCells and mangles CellServDB

Berthold Cogel cogel@rrz.uni-koeln.de
Thu, 16 Nov 2006 10:10:27 +0100 

Hello!

The RHEL (RHEL 3 and RHEL 4) openafs package installs a SuidCells.dist 
file that contains the following entrys:

athena.mit.edu
net.mit.edu
sipb.mit.edu
dev.mit.edu
ops.mit.edu

This file is merged during client startup with a SuidCells.local:

echo -n $"Updating SuidCells: "
cat /usr/vice/etc/SuidCells.local /usr/vice/etc/SuidCells.dist > \
		/usr/vice/etc/SuidCells
chmod 644 /usr/vice/etc/SuidCells

IMHO this is a security issue! This should not *never* happen, because 
it poses a threat to unexperienced users and during updates of the client.

The same mechanism is applied to CellServDB!

We maintain our CellServDB ourself for several reasons. This startup 
script mangles our configuration and interferes with our scripts. Even 
if I remove CellServDB.dist and CellServDB.local (which is empty), my 
CellServDB (maintained by cfengine, and on some older systems by a 
cronjob) is overwritten:

[root@sipserv etc]# pwd
/usr/vice/etc
[root@sipserv etc]# ls -l
insgesamt 160
-rwxr-xr-x  1 root root 121564 14. Okt 16:11 afsd
-rw-r--r--  1 root root     28 15. Nov 17:26 cacheinfo
-rw-r--r--  1 root root  26422 16. Nov 09:47 CellServDB
-rw-r--r--  1 root root      0 16. Nov 09:47 SuidCells
-rw-r--r--  1 root root     18 15. Nov 17:26 ThisCell
[root@sipserv etc]# service openafs-client start
Updating CellServDB: cat: /usr/vice/etc/CellServDB.local: Datei oder 
Verzeichnis nicht gefunden
cat: /usr/vice/etc/CellServDB.dist: Datei oder Verzeichnis nicht gefunden

Updating SuidCells: cat: /usr/vice/etc/SuidCells.local: Datei oder 
Verzeichnis nicht gefunden
cat: /usr/vice/etc/SuidCells.dist: Datei oder Verzeichnis nicht gefunden

Starting openafs-client: afsd: All AFS daemons started.
afsd: Can't mount AFS on /afs(22)

[root@sipserv etc]# ls -al
insgesamt 144
drwxr-xr-x  2 root root   4096 16. Nov 09:45 .
drwxr-xr-x  4 root root   4096 14. Okt 16:09 ..
-rwxr-xr-x  1 root root 121564 14. Okt 16:11 afsd
-rw-r--r--  1 root root     28 15. Nov 17:26 cacheinfo
-rw-r--r--  1 root root      0 16. Nov 09:48 CellServDB
-rw-r--r--  1 root root      0 16. Nov 09:48 SuidCells
-rw-r--r--  1 root root     18 15. Nov 17:26 ThisCell
[root@sipserv etc]#

There is *no* error handling in this part of the script!

The script should test for existing configuration files. Modifying 
CellServDB and SuidCells should be a configuration option in 
/etc/default/openafs that is switched off by default.


Regards,
Berthold Cogel