[OpenAFS] openafs-1.4.2 RHEL RPM package installs nonempty SuidCells and mangles CellServDB

Derrick J Brashear shadow@dementia.org
Thu, 16 Nov 2006 10:11:35 -0500 (EST)


> IMHO this is a security issue! This should not *never* happen, because it 
> poses a threat to unexperienced users and during updates of the client.

Ok, but.

> The same mechanism is applied to CellServDB!
>
> We maintain our CellServDB ourself for several reasons. This startup script 
> mangles our configuration and interferes with our scripts. Even if I remove 
> CellServDB.dist and CellServDB.local (which is empty), my CellServDB 
> (maintained by cfengine, and on some older systems by a cronjob) is 
> overwritten:

Most people don't have their own, and so instead we'll get people for whom 
CellServDB never updates. Unless you can offer a solution to that, you'll 
get no traction.

> The script should test for existing configuration files. Modifying CellServDB 
> and SuidCells should be a configuration option in /etc/default/openafs that 
> is switched off by default.

SuidCells I buy. CellServDB, nope, try again. Like, for all the sites 
which already have the global CellServDB, unless they opt in, they'll 
never get an update again. That's unacceptable.

Derrick