[OpenAFS] AFS && Apache

Russ Allbery rra@stanford.edu
Wed, 15 May 2002 00:34:59 -0700

Marcus Watts <mdw@umich.edu> writes:

> Apache *does* know to do a "setuid".  If you haven't run a "setpag"
> before you run apache, then the setuid() call will result in apache
> seeing the default tokens for user "nobody" rather than the default
> tokens for (presumably) root - that would be my first guess as to what's
> happening.  You probably *really* want to apache in its own pag and not
> root's, -- that way, you can log in separately as root, get tokens, and
> not break apache.

Another option, which can be a bit easier to set up, is to tell Apache to
run as a distinguished user (*not* nobody, which does a bunch of other
things, but its own separate user), and then obtain tickets and tokens for
that user.

There are pluses and minuses to doing things outside of a PAG.  The
significant minus is that you then have to be careful never to restart
Apache from inside a PAG, because it then won't be able to see its token.
That means, for example, having to do restarts with a temporary cron job
rather than by hand.

The plus is that one doesn't have to coordinate the process that maintains
the token and ticket and Apache itself.  When running them both inside the
same PAG, one has to start them together and keep them running together,
and it's hard to restart one without restarting the other.  We run the
ticket and token process out of svscan from djb's daemontools, for
example, and that would be tricky if it needed to run in the same PAG as

Doing it all inside its own PAG *is* significantly cleaner and probably
the Right Way To Do Things, but it's a bit more complicated to set up and
there are alternatives.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>