[OpenAFS] openafs-1.4.2 RHEL RPM package installs nonempty SuidCells and mangles CellServDB

Derek Atkins warlord@MIT.EDU
Thu, 16 Nov 2006 10:16:13 -0500

The RPM will combine /usr/vice/etc/CellServDB.local with
/usr/vice/etc/CellServDB.dist into /usr/vice/etc/CellServDB.
If you have local changes you want to make to the CellServDB
then put them into CellServDB.local and the RPM will include
them in the new CellServDB.  This is done at every 'start'
(or at least checked).

SuidCells is handled the same way.


Quoting Derrick J Brashear <shadow@dementia.org>:

>> IMHO this is a security issue! This should not *never* happen, 
>> because it poses a threat to unexperienced users and during updates 
>> of the client.
> Ok, but.
>> The same mechanism is applied to CellServDB!
>> We maintain our CellServDB ourself for several reasons. This startup 
>> script mangles our configuration and interferes with our scripts. 
>> Even if I remove CellServDB.dist and CellServDB.local (which is 
>> empty), my CellServDB (maintained by cfengine, and on some older 
>> systems by a cronjob) is overwritten:
> Most people don't have their own, and so instead we'll get people for 
> whom CellServDB never updates. Unless you can offer a solution to 
> that, you'll get no traction.
>> The script should test for existing configuration files. Modifying 
>> CellServDB and SuidCells should be a configuration option in 
>> /etc/default/openafs that is switched off by default.
> SuidCells I buy. CellServDB, nope, try again. Like, for all the sites 
> which already have the global CellServDB, unless they opt in, they'll 
> never get an update again. That's unacceptable.
> Derrick
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available