[1949] in testers
7.4C /etc/athena/config_afs
daemon@ATHENA.MIT.EDU (John Carr)
Wed May 27 17:11:57 1992
To: testers@Athena.MIT.EDU
Date: Wed, 27 May 1992 17:11:35 EDT
From: John Carr <jfc@Athena.MIT.EDU>
/etc/athena/config_afs updates the SuidCells file incorrectly. It is
wrong to force a private workstation to allow setuid from a cell; but
the current design only allows a workstation maintainer to add to the
list, not delete cells.
I suggest making config_afs update only SuidCells.public. On public
and some private workstations SuidCells can be a link to this file.
On private workstations SuidCells can be a regular file.
Changes to implement this:
*** config_afs.orig Fri May 8 13:37:10 1992
--- config_afs Wed May 27 17:08:31 1992
***************
*** 25,37 ****
END {printf("\n")}' ${CELLDB} | \
/bin/sh
echo "Updating setuid cell information"
rm -f ${VICEDIR}/Ctmp
cp /afs/athena.mit.edu/service/SuidCells ${VICEDIR}/Ctmp && \
[ -s ${VICEDIR}/Ctmp ] && \
mv -f ${VICEDIR}/Ctmp ${SUIDDB}.public && \
! cat ${SUIDDB}.public ${SUIDDB}.local >${VICEDIR}/Ctmp 2>/dev/null
! mv -f ${VICEDIR}/Ctmp ${SUIDDB}
echo "Only allowing setuid/setgid programs from the following cells:"
--- 25,41 ----
END {printf("\n")}' ${CELLDB} | \
/bin/sh
+ if [ "${PUBLIC}" = "true" ] ; then
+ rm -f ${SUIDDB}
+ ln -s SuidCells.public ${SUIDDB}
+ fi
+
echo "Updating setuid cell information"
rm -f ${VICEDIR}/Ctmp
cp /afs/athena.mit.edu/service/SuidCells ${VICEDIR}/Ctmp && \
[ -s ${VICEDIR}/Ctmp ] && \
mv -f ${VICEDIR}/Ctmp ${SUIDDB}.public && \
! cat ${SUIDDB}.local >>${VICEDIR}.public 2>/dev/null
echo "Only allowing setuid/setgid programs from the following cells:"
Note that the line "mv -f ${VICEDIR}/Ctmp ${SUIDDB}" in the original
would be executed even if the copy failed (possibly producing a zero
length file).
