From c0414134f8d7a4ebd74a5ff619cc97eea7bd6445 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 19 Mar 2007 21:06:14 +0000 Subject: [PATCH] * SECURITY: Apply upstream patch to disable setuid status on all cells by default. Prior versions of AFS defaulted to honoring setuid bits in the local cell, but since unauthenticated file access in AFS is unencrypted, an attacker could forge packets from an AFS file server to synthesize a setuid binary in AFS. --- debian/changelog | 7 ++++++- debian/openafs-client.NEWS | 24 ++++++++++++++++++++++++ debian/rules | 5 +++++ src/afs/afs_cell.c | 3 +-- 4 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 debian/openafs-client.NEWS diff --git a/debian/changelog b/debian/changelog index 7fdbea16c..695148e02 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,10 @@ openafs (1.4.2-6) unstable; urgency=medium + * SECURITY: Apply upstream patch to disable setuid status on all cells + by default. Prior versions of AFS defaulted to honoring setuid bits + in the local cell, but since unauthenticated file access in AFS is + unencrypted, an attacker could forge packets from an AFS file server + to synthesize a setuid binary in AFS. * Apply upstream fix to use a single high-numbered group for the PAG on 2.6 kernels and sort the group properly. Fixes AFS-caused group ordering problems that could lead the kernel to ignore some group @@ -13,7 +18,7 @@ openafs (1.4.2-6) unstable; urgency=medium - Dutch, thanks cobaco. (Closes: #413701) - Portuguese, thanks Miguel Figueiredo. (Closes: #414800) - -- + -- Russ Allbery Wed, 14 Mar 2007 18:37:12 -0700 openafs (1.4.2-5) unstable; urgency=low diff --git a/debian/openafs-client.NEWS b/debian/openafs-client.NEWS new file mode 100644 index 000000000..a78507f7a --- /dev/null +++ b/debian/openafs-client.NEWS @@ -0,0 +1,24 @@ +openafs (1.4.2-6) unstable; urgency=medium + + As of this release of the OpenAFS kernel module, all cells, including + the local cell, have setuid support turned off by default due to the + possibility of an attacker forging AFS fileserver responses to create a + fake setuid binary. Prior releases enabled setuid support for the local + cell. Those binaries will now run with normal permissions by default. + + This security fix will only take effect once you've installed a kernel + module from openafs-modules-source 1.4.2-6 or later. Doing so is highly + recommended. In the meantime, you can disable setuid support by + running: + + fs setcell -cell -nosuid + + as root (where is your local cell, the one listed in + /etc/openafs/ThisCell). + + If you are certain there is no security risk of an attacker forging AFS + fileserver responses, you can enable setuid status selectively using the + fs setcell command. + + -- Russ Allbery Sun, 11 Mar 2007 22:28:07 -0700 + diff --git a/debian/rules b/debian/rules index 7f2583c9d..30700415d 100755 --- a/debian/rules +++ b/debian/rules @@ -159,11 +159,16 @@ install: build # Build architecture-independent files here. Pass -i to all debhelper # commands in this target to reduce clutter. +# +# Also install debian/openafs-client.NEWS in the openafs-modules-source +# package. binary-indep: DH_OPTIONS=-i binary-indep: build install binary-source dh_testdir dh_testroot dh_installchangelogs NEWS + install -m 644 debian/openafs-client.NEWS \ + debian/$(srcpkg)/usr/share/doc/$(srcpkg)/NEWS.Debian dh_installdocs -XQuickStartWindows -Xwinnotes dh_installexamples dh_link diff --git a/src/afs/afs_cell.c b/src/afs/afs_cell.c index 77b7bf832..564c0be2e 100644 --- a/src/afs/afs_cell.c +++ b/src/afs/afs_cell.c @@ -708,8 +708,7 @@ afs_NewCell(char *acellName, afs_int32 * acellHosts, int aflags, tc->vlport = AFS_VLPORT; RWLOCK_INIT(&tc->lock, "cell lock"); newc = 1; - if (afs_thiscell && !strcmp(acellName, afs_thiscell)) - aflags &= ~CNoSUID; + aflags |= CNoSUID; } ObtainWriteLock(&tc->lock, 688); -- 2.11.4.GIT