[OpenAFS] openafs-1.4.2 RHEL RPM package installs nonempty SuidCells and mangles CellServDB

Derek Atkins warlord@MIT.EDU
Thu, 16 Nov 2006 19:26:08 -0500 

No, it doesn't handle that case explicitly.    It WILL put contents
of CellServDB.local ahead of CellServDB.dist, but I don't know what
the OpenAFS code does if it finds the same cell listed twice.

-derek

Quoting Jason Edgecombe <jedgecombe@carolina.rr.com>:

> Does the RPM init.d script properly handle the case where you need to 
> update an existing entry in the CellServdb.dist file?
>
> at uncc.edu, we changed our DB servers, but the CellServDB.dist file 
> hasn't caught up yet because until this week, a new version hadn't 
> been published since we changed it.
>
> Thanks,
> Jason Edgecombe
>
> Derek Atkins wrote:
>> The RPM will combine /usr/vice/etc/CellServDB.local with
>> /usr/vice/etc/CellServDB.dist into /usr/vice/etc/CellServDB.
>> If you have local changes you want to make to the CellServDB
>> then put them into CellServDB.local and the RPM will include
>> them in the new CellServDB.  This is done at every 'start'
>> (or at least checked).
>>
>> SuidCells is handled the same way.
>>
>> -derek
>>
>> Quoting Derrick J Brashear <shadow@dementia.org>:
>>
>>>> IMHO this is a security issue! This should not *never* happen, 
>>>> because it poses a threat to unexperienced users and during 
>>>> updates of the client.
>>>
>>> Ok, but.
>>>
>>>> The same mechanism is applied to CellServDB!
>>>>
>>>> We maintain our CellServDB ourself for several reasons. This 
>>>> startup script mangles our configuration and interferes with our 
>>>> scripts. Even if I remove CellServDB.dist and CellServDB.local 
>>>> (which is empty), my CellServDB (maintained by cfengine, and on 
>>>> some older systems by a cronjob) is overwritten:
>>>
>>> Most people don't have their own, and so instead we'll get people 
>>> for whom CellServDB never updates. Unless you can offer a solution 
>>> to that, you'll get no traction.
>>>
>>>> The script should test for existing configuration files. Modifying 
>>>> CellServDB and SuidCells should be a configuration option in 
>>>> /etc/default/openafs that is switched off by default.
>>>
>>> SuidCells I buy. CellServDB, nope, try again. Like, for all the 
>>> sites which already have the global CellServDB, unless they opt in, 
>>> they'll never get an update again. That's unacceptable.
>>>
>>> Derrick
>>>
>>> _______________________________________________
>>> OpenAFS-info mailing list
>>> OpenAFS-info@openafs.org
>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>
>>
>>
>>
>
>



-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available