1 openafs (1.4.2-6) unstable; urgency=medium
3 As of this release of the OpenAFS kernel module, all cells, including
4 the local cell, have setuid support turned off by default due to the
5 possibility of an attacker forging AFS fileserver responses to create a
6 fake setuid binary. Prior releases enabled setuid support for the local
7 cell. Those binaries will now run with normal permissions by default.
9 This security fix will only take effect once you've installed a kernel
10 module from openafs-modules-source 1.4.2-6 or later. Doing so is highly
11 recommended. In the meantime, you can disable setuid support by
14 fs setcell -cell <localcell> -nosuid
16 as root (where <localcell> is your local cell, the one listed in
17 /etc/openafs/ThisCell).
19 If you are certain there is no security risk of an attacker forging AFS
20 fileserver responses, you can enable setuid status selectively using the
23 -- Russ Allbery <rra@debian.org> Sun, 11 Mar 2007 22:28:07 -0700