Sat, 04/16/2016 - 11:58 By emziemer

Sine Nomine Associates is proud to provide availability of an updated version of our signed OpenAFS MacOS 10 client installer. As with the previously announced version, this is provided as a donation to OpenAFS.org through the OpenAFS Foundation.

This version of the signed installer fixes problems with the Finder's ability to access files over network filesystems other than CIFS. (Details in the Release Notes, below).

The versions of the packages are OpenAFS 1.6.16 for Mac OSX 10.9 (Mavericks), Mac OSX  10.10 (Yosemite), and Mac OSX 10.11 (El Capitan) with some additional patches to address the reported issues with the previous version.  Please note that, at present, this is considered a pre-release of the SNA signed installer although it has proven operationally worthwhile at at least three sites. As with the previously announced version, these installers are signed using SNA's certificate. As soon as the Foundation is ready to do so, SNA will make available the then-current and future releases to the Foundation for the Foundation's signature and formal, official release to the community.

The signed installers are available here: http://download.sinenomine.net/openafs/bins/1.6.16/

Release Notes:

The disk images provided here provide support for recent Mac OS X versions, including provisional support for System Integrity Protection (aka "rootless") on 10.11.

Included is an experimental change to the client to support the additional security verification of 10.11, where programs using the native "Cocoa" API will ask various root daemons (taskgated, DesktopServicesHelper, syspolicyd, possibly others depending on configuration) to verify files for them; these daemons are denied access to the user's token, and would normally fail verification as a result. This change means that root can read any AFS-resident file that is locally cached without a token. While this is technically a security violation, it should be noted that all versions of IBM AFS and OpenAFS already allow root (or, with lax cache permissions, potentially any user) to read any locally cached file by accessing the cache directory directly. Thus, the risk this introduces is no greater than the risks already carried by sites using AFS.

Programs using the BSD APIs do not use the root daemons and work as expected, unless you run a signed binary from OpenAFS, in which case taskgated will attempt to verify the binary's signature and internal requirements and entitlements; this again requires the above root access change.

On 10.11, client commands are installed to /opt/openafs/bin instead of /usr/bin. The system path database is modified to add this directory to the $PATH of new sessions. Running sessions after initial installation of the client will need to add /opt/openafs/bin to their $PATH manually.

The change to enable root to perform security checks appears to have introduced an occasional issue where tab completion in a directory will not work unless the directory's contents has previously been listed (e.g. with "ls"). While the security checks are only performed on 10.11, the root access code path is active in all of the clients, so this will also occur on 10.9 and 10.10. We are still working on diagnosing the cause, and will provide anupdated release when it is available. In testing, this issue has proven uncommon and transient for most sites.

NOTE: The preference pane remains deprecated in this version of the client. Sine Nomine is working on addressing problems in the preference pane for future versions.