[OpenAFS] security of virtual web servers on afs

Michal Švamberg svamberg@gmail.com
Wed, 12 Dec 2012 15:44:29 +0100

we are using AFS at the University of West Bohemia for virtual
web servers. Each of them (almost 400) has its own AFS volume.
Webserver itself has AFS identity thru IP adress and everything 
works fine. But, the problem is exactly with the AFS identity
of webserver. It has read rights over all of virtual webservers
and volume's owner can e.g. by PHP script read data from others
volumes. The bigger problem is, when someone in own volume
allow writeable rights for webserver - e.g. there is some kind
of CMS system (Drupal, Joomla, ...) needed write rights. 
Now, attacker from outside the university can try to insert bad 
code and do with it anything he wants. 
Is there some reasonable advice, how to separate virtual web 
servers on AFS from each others? 

Thank you,
Michal Svamberg