[OpenAFS] Updated SNA OpenAFS Client Installer for MacOS
Evan Macbeth
emacbeth@sinenomine.net
Thu, 4 Feb 2016 18:50:21 +0000
--_000_D2D90796FD53emacbethsinenominenet_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Availability of Updated OpenAFS Client Installer for MacOS
Sine Nomine Associates is proud to provide availability of an updated versi=
on of our signed OpenAFS MacOS 10 client installer. As with the previously =
announced version, this is provided as a donation to OpenAFS.org through th=
e OpenAFS Foundation.
This version of the signed installer fixes problems with the Finder's abili=
ty to access files over network filesystems other than CIFS. (Details in th=
e Release Notes, below)
The versions of the packages are OpenAFS 1.6.16 for Mac OSX 10.9 (Mavericks=
), Mac OSX 10.10 (Yosemite), and Mac OSX 10.11 (El Capitan) with some addi=
tional patches to address the reported issues with the previous version. P=
lease note that, at present, this is considered a pre-release of the SNA si=
gned installer although it has proven operationally worthwhile at at least =
three sites. As with the previously announced version, these installers are=
signed using SNA's certificate. As soon as the Foundation is ready to do s=
o, SNA will make available the then-current and future releases to the Foun=
dation for the Foundation's signature and formal, official release to the c=
ommunity.
The signed installers are available here:
http://download.sinenomine.net/openafs/bins/1.6.16/
Release Notes:
The disk images provided here provide support for recent Mac OS X versions,=
including provisional support for System Integrity Protection (aka "rootle=
ss") on 10.11.
Included is an experimental change to the client to support the additional =
security verification of 10.11, where programs using the native "Cocoa" API=
will ask various root daemons (taskgated, DesktopServicesHelper, syspolicy=
d, possibly others depending on configuration) to verify files for them; th=
ese daemons do not have access to the user's token, and would normally fail=
verification as a result. This change means that root can read any AFS-res=
ident file that is locally cached without a token. While this is technicall=
y a security violation, it should be noted that all versions of IBM AFS and=
OpenAFS already allow root (or, with lax cache permissions, potentially an=
y user) to read any locally cached file by accessing the cache directory di=
rectly. Thus, the risk this introduces is no greater than the risks already=
carried by sites using AFS.
Programs using the BSD APIs do not use the root daemons and work as expecte=
d, unless you run a signed binary from OpenAFS, in which case taskgated wil=
l attempt to verify the binary's signature and internal requirements and en=
titlements; this again requires the above root access change.
On 10.11, client commands are installed to /opt/openafs/bin instead of /usr=
/bin. The system path database is modified to add this directory to the $PA=
TH of new sessions. Running sessions after initial installation of the clie=
nt will need to add /opt/openafs/bin to their $PATH manually.
The change to enable root to perform security checks appears to have introd=
uced an occasional issue where tab completion in a directory will not work =
unless the directory's contents has previously been listed (e.g. with "ls")=
. While the security checks are only performed on 10.11, the root access co=
de path is active in all of the clients, so this will also occur on 10.9 a=
nd 10.10. We are still working on diagnosing the cause, and will provide an=
updated release when it is available. In testing, this issue has proven un=
common and transient for most sites.
NOTE: The preference pane remains deprecated in this version of the client.=
Sine Nomine is working on addressing problems in the preference pane for f=
uture versions.
Respectfully Submitted,
Evan Macbeth
--_000_D2D90796FD53emacbethsinenominenet_
Content-Type: text/html; charset="iso-8859-1"
Content-ID: <C93D33199DBDCD4F96E58C2E358129C7@mex09.mlsrvr.com>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
ly: Calibri, sans-serif;">
<div>
<div><b>Availability of Updated OpenAFS Client Installer for MacOS</b></div=
>
<div><br>
</div>
<div>Sine Nomine Associates is proud to provide availability of an updated =
version of our signed OpenAFS MacOS 10 client installer. As with the previo=
usly announced version, this is provided as a donation to OpenAFS.org throu=
gh the OpenAFS Foundation. </div>
<div><br>
</div>
<div>This version of the signed installer fixes problems with the Finder=
217;s ability to access files over network filesystems other than CIFS. (De=
tails in the Release Notes, below)</div>
<div><br>
</div>
<div>The versions of the packages are OpenAFS 1.6.16 for Mac OSX 10.9 (Mave=
ricks), Mac OSX 10.10 (Yosemite), and Mac OSX 10.11 (El Capitan) with=
some additional patches to address the reported issues with the previous v=
ersion. Please note that, at present,
this is considered a pre-release of the SNA signed installer although it h=
as proven operationally worthwhile at at least three sites. As with the pre=
viously announced version, these installers are signed using SNA’s ce=
rtificate. As soon as the Foundation is
ready to do so, SNA will make available the then-current and future releas=
es to the Foundation for the Foundation's signature and formal, official re=
lease to the community.</div>
<div><br>
</div>
<div>The signed installers are available here:</div>
<div>http://download.sinenomine.net/openafs/bins/1.6.16/</div>
<div><br>
</div>
<div>Release Notes:</div>
<div><br>
</div>
<div>The disk images provided here provide support for recent Mac OS X vers=
ions, including provisional support for System Integrity Protection (aka &q=
uot;rootless") on 10.11.</div>
<div><br>
</div>
<div>Included is an experimental change to the client to support the additi=
onal security verification of 10.11, where programs using the native "=
Cocoa" API will ask various root daemons (taskgated, DesktopServicesHe=
lper, syspolicyd, possibly others depending
on configuration) to verify files for them; these daemons do not have acce=
ss to the user's token, and would normally fail verification as a result. T=
his change means that root can read any AFS-resident file that is locally c=
ached without a token. While this
is technically a security violation, it should be noted that all versions =
of IBM AFS and OpenAFS already allow root (or, with lax cache permissions, =
potentially any user) to read any locally cached file by accessing the cach=
e directory directly. Thus, the
risk this introduces is no greater than the risks already carried by sites=
using AFS.</div>
<div><br>
</div>
<div>Programs using the BSD APIs do not use the root daemons and work as ex=
pected, unless you run a signed binary from OpenAFS, in which case taskgate=
d will attempt to verify the binary's signature and internal requirements a=
nd entitlements; this again requires
the above root access change.</div>
<div><br>
</div>
<div>On 10.11, client commands are installed to /opt/openafs/bin instead of=
/usr/bin. The system path database is modified to add this directory to th=
e $PATH of new sessions. Running sessions after initial installation of the=
client will need to add /opt/openafs/bin
to their $PATH manually.</div>
<div><br>
</div>
<div>The change to enable root to perform security checks appears to have i=
ntroduced an occasional issue where tab completion in a directory will not =
work unless the directory's contents has previously been listed (e.g. with =
"ls"). While the security checks
are only performed on 10.11, the root access code path is active in all of=
the clients, so this will also occur on 10.9 and 10.10. We are still=
working on diagnosing the cause, and will provide an updated release when =
it is available. In testing, this issue
has proven uncommon and transient for most sites.</div>
<div><br>
</div>
<div>NOTE: The preference pane remains deprecated in this version of the cl=
ient. Sine Nomine is working on addressing problems in the preference pane =
for future versions.</div>
<div><br>
</div>
</div>
<div>Respectfully Submitted,</div>
<div><br>
</div>
<div>Evan Macbeth</div>
<div><br>
</div>
</body>
</html>
--_000_D2D90796FD53emacbethsinenominenet_--