* SECURITY: Apply upstream patch to disable setuid status on all cells

  by default.  Prior versions of AFS defaulted to honoring setuid bits
  in the local cell, but since unauthenticated file access in AFS is
  unencrypted, an attacker could forge packets from an AFS file server
  to synthesize a setuid binary in AFS.

diff --git a/debian/changelog b/debian/changelog
index 7fdbea16c20815c17843d1d72aac86606d57597f..695148e028d644213bcbd1cc58fca783b0ccc185 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,10 @@
 openafs (1.4.2-6) unstable; urgency=medium
 
+  * SECURITY: Apply upstream patch to disable setuid status on all cells
+    by default.  Prior versions of AFS defaulted to honoring setuid bits
+    in the local cell, but since unauthenticated file access in AFS is
+    unencrypted, an attacker could forge packets from an AFS file server
+    to synthesize a setuid binary in AFS.
   * Apply upstream fix to use a single high-numbered group for the PAG on
     2.6 kernels and sort the group properly.  Fixes AFS-caused group
     ordering problems that could lead the kernel to ignore some group
@@ -13,7 +18,7 @@ openafs (1.4.2-6) unstable; urgency=medium
     - Dutch, thanks cobaco.  (Closes: #413701)
     - Portuguese, thanks Miguel Figueiredo.  (Closes: #414800)
 
- --
+ -- Russ Allbery <rra@debian.org>  Wed, 14 Mar 2007 18:37:12 -0700
 
 openafs (1.4.2-5) unstable; urgency=low
 

diff --git a/debian/openafs-client.NEWS b/debian/openafs-client.NEWS
new file mode 100644 (file)
index 0000000..a78507f
--- /dev/null
+++ b/debian/openafs-client.NEWS
@@ -0,0 +1,24 @@
+openafs (1.4.2-6) unstable; urgency=medium
+
+  As of this release of the OpenAFS kernel module, all cells, including
+  the local cell, have setuid support turned off by default due to the
+  possibility of an attacker forging AFS fileserver responses to create a
+  fake setuid binary.  Prior releases enabled setuid support for the local
+  cell.  Those binaries will now run with normal permissions by default.
+
+  This security fix will only take effect once you've installed a kernel
+  module from openafs-modules-source 1.4.2-6 or later.  Doing so is highly
+  recommended.  In the meantime, you can disable setuid support by
+  running:
+
+      fs setcell -cell <localcell> -nosuid
+
+  as root (where <localcell> is your local cell, the one listed in
+  /etc/openafs/ThisCell).
+
+  If you are certain there is no security risk of an attacker forging AFS
+  fileserver responses, you can enable setuid status selectively using the
+  fs setcell command.
+
+ -- Russ Allbery <rra@debian.org>  Sun, 11 Mar 2007 22:28:07 -0700
+

diff --git a/debian/rules b/debian/rules
index 7f2583c9d1dceeeb777ab3af8a56e623bac217c3..30700415d0b5bcfd95c7b03c6236a009c2b009e8 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -159,11 +159,16 @@ install: build
 
 # Build architecture-independent files here.  Pass -i to all debhelper
 # commands in this target to reduce clutter.
+#
+# Also install debian/openafs-client.NEWS in the openafs-modules-source
+# package.
 binary-indep: DH_OPTIONS=-i
 binary-indep: build install binary-source
        dh_testdir
        dh_testroot
        dh_installchangelogs NEWS
+       install -m 644 debian/openafs-client.NEWS \
+           debian/$(srcpkg)/usr/share/doc/$(srcpkg)/NEWS.Debian
        dh_installdocs -XQuickStartWindows -Xwinnotes
        dh_installexamples
        dh_link

diff --git a/src/afs/afs_cell.c b/src/afs/afs_cell.c
index 77b7bf832e2d11b0036ef3292d7ceffd255de7f1..564c0be2e10ce13757a9ffdb0ea2f21db946fa3a 100644 (file)
--- a/src/afs/afs_cell.c
+++ b/src/afs/afs_cell.c
@@ -708,8 +708,7 @@ afs_NewCell(char *acellName, afs_int32 * acellHosts, int aflags,
        tc->vlport = AFS_VLPORT;
        RWLOCK_INIT(&tc->lock, "cell lock");
        newc = 1;
-       if (afs_thiscell && !strcmp(acellName, afs_thiscell))
-           aflags &= ~CNoSUID;
+       aflags |= CNoSUID;
     }
     ObtainWriteLock(&tc->lock, 688);