[OpenAFS] AFS && Apache

Charles Clancy security@xauth.net
Wed, 15 May 2002 15:01:45 -0500 (CDT)


> >>>>> "Michael" == Michael Bruewer <bruewer@uni-hohenheim.de> writes:
>
>     Michael> Instead of IP-based ACLS, why not even give
>     Michael> system:anyuser rl on the web-volumes?  OK, you cannot
>     Michael> hide files from AFS-Users by creating public.html in each
>     Michael> directory.
>
> That was the very first thing I did, didn't help... If you don't have
> a token, you can't enter AFS space at all (!?)
>
> Naturally I tried adding 'system:anyuser rl' in all directories LEADING
> to the web volume (I'm now convinced that volumes is a good thing :)...

I've done it with both IP ACLs and tokens in the past.

When using the token approach, I just set the token lifetime really long
(like a couple years long) so I wouldn't have to worry about renewing the
tokens.  I used the attached /etc/init.d/httpd to start and stop apache
(for kaserver environments).

The IP ACLs were much easier -- but only in the case where normal users
cannot log into the web server.

One big problem I faced was site security.  Sure, having this token is
nice because you can grant write access to a directory somewhere in AFS
for your web applications to write to.  If all CGI, PHP, and JSP scripts
are running with the same token under apache, and normal users can use
these technologies, then normal users have the ability to perhaps mess
with web applications they shouldn't be able to mess with.

When I finally ended up doing was to setup two web servers, each running
with a token for a different AFS user.  The main web server proxied all
requests for /~* to the second web server.  That way users' CGI scripts
could only mess with each other, and not with the department CGI scripts.
I'm sure something similar could be accomplished by running two apache
processes on different ports with different AFS tokens (but that wouldn't
work if you were using IP ACLs.)

Anyway, personal web pages that use any sort of scripting to write data to
home directories is something I never had a real good solution to.

[  t charles clancy  ]-[  tclancy@uiuc.edu  ]-[  uiuc.edu/~tclancy  ]

------ /etc/init.d/httpd ------

#!/bin/sh

case $1 in

'start')
        echo "Starting apache..."
        /usr/afsws/bin/pagsh -c 'su www -c "/usr/afsws/bin/unlog;
/usr/afsws/bin/klog www -password ******"; /usr/apache/bin/httpd'
        ;;
'stop')
        echo "Shutting down apache..."
        /usr/bin/pkill jserv
        sleep 3
        ps -ef | grep apache | grep -v grep | awk '{print $2}' | xargs
-i[] kill []
        ;;
'restart')
        $0 stop > /dev/null
        sleep 5
        $0 start > /dev/null
        ;;
esac