[OpenAFS] Website files in AFS

[Lukas Kubin]

This is a cryptographically signed message in MIME format.

--------------ms020601020906010802040905
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Thank your for the answer. I have more questions:
1. What determines whether a process is run inside or outside a PAG? I 
tried to kinit different principal and aklog as root in another shell 
using the same K5 cache file. It didn't affected serving AFS files by 
Apache. Does it mean the Apache is running from within a PAG?
2. Is the schema I used (ie. keys in /etc/krb5.keytab and cache in 
/tmp/krb5cc_system.webserver) similar to what do others in AFS networks 
use, or does it have any drawback I will meet in near future?

Thank you again.

lukas

Todd M. Lewis wrote:
> All processes running with the same uid and without a PAG will share the 
> same credentials.  Also, if any of them authenticates as something other 
> than system.webserver, then your web server won't serve the AFS based 
> pages anymore.

> Cheers,
> -- 
> Todd_Lewis@unc.edu
> 
> Lukas Kubin wrote:
> 
>> Thank you for the link, I've read the page.
>> I don't understand the purpose of pagsh.openafs however. I tried the 
>> following:
>>
>> 1. created system/webserver@MYREALM principal in K5
>> 2. created system.webserver in pts
>> 3. put system/webserver key into /etc/krb5.keytab
>> 4. inserted following into apache's init script:
>>
>> KRB5CCNAME=/tmp/krb5cc_system.webserver
>> kinit -k -t /etc/krb5.keytab system/webserver
>> aklog
>>
>> The init script uses /bin/sh for execution.
>> Now the webserver serves files from AFS directories with "rl" rights 
>> for system.webserver.
>> Is there something bad or a security item in the way I used it? What 
>> would be the difference if I had used PAG?
>> Thank you.
>>
>> lukas
>>
>> Russ Allbery wrote:
>>
>>> Lukas Kubin <kubin@opf.slu.cz> writes:
>>>
>>>
>>>> What is a common secure way in OpenAFS environment to allow Apache
>>>> webserver to access website files stored in users' home directories?
>>>
>>>
>>>
>>>
>>> Depending on what you mean by secure, you may find:
>>>
>>>     <http://www.stanford.edu/services/afs/userguide/web-pages.html>
>>>
>>> useful.
>>>
>>
>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> 


-- 
Lukas Kubin

phone: +420596398275
email: kubin@opf.slu.cz

Information centre
The School of Business Administration in Karvina
Silesian University in Opava
Czech Republic
http://www.opf.slu.cz

--------------ms020601020906010802040905
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGbDCC
AzIwggIaoAMCAQICAgDmMA0GCSqGSIb3DQEBBAUAMDIxCzAJBgNVBAYTAkNaMQ8wDQYDVQQK
EwZDRVNORVQxEjAQBgNVBAMTCUNFU05FVCBDQTAeFw0wMzExMTkxNDM4NTdaFw0wNDExMTgx
NDM4NTdaMEUxDzANBgNVBAoTBkNFU05FVDEcMBoGA1UEChMTU2lsZXNpYW4gVW5pdmVyc2l0
eTEUMBIGA1UEAxMLbHVrYXMga3ViaW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL7l
zAuBktAjhaVuPR0S2kwnO/xt1fp9D2GdLpxu2NcqUsuyEC00k3VHEijgFzcNt7+QviV1y5nq
P3nmCqk+eNp20Z3qrYZKGh0YTho/qPESyjFZ4P2NmV7W+SewXZ0IEtxD/DaOMQo8kww1ho5y
zaxVgSRItwefSBEMmFYdqrxpAgMBAAGjgcIwgb8wHQYDVR0OBBYEFNBqBwZMDvExebpgW4m8
MCWtsegvMB8GA1UdIwQYMBaAFPhWGtmaeJVttIiEVTUvqgbz1yBaMDUGA1UdHwQuMCwwKqAo
oCaGJGh0dHA6Ly93d3cuY2VzbmV0LmN6L3BraS9jcmwvY2NhLmNybDAOBgNVHQ8BAf8EBAMC
BPAwGwYDVR0RBBQwEoEQa3ViaW5Ab3BmLnNsdS5jejAZBgNVHSAEEjAQMA4GDCsGAQQBvnkB
AgIBATANBgkqhkiG9w0BAQQFAAOCAQEAuI/sMxZZa78h5+Mzo3IhgSxrVMl5Hbm2YgLWLHAx
QG1NxG0W9bkggMmRWrW8Xotr8VPA4IySqBiVwOlVMdZ5GNcUiSCrrFU6zfxAXD6dAJuEHGfb
Vz/dQntptJ9Dz/URteoMleNZjn2gPaLELEax2gaF+2cvbpW521CFJrxxMc2LdScRDBCFapWO
GNbxqSflLqbT8TsrbmS1V6zUicXf2eUurKA36/psbtFdG03vVaD3+V+RMgHr6X5k1NUfDfSI
pmX7irFEn7tMrxq630NTJUrEm1w4ivK/+f+6+F0ozeaamYS/Gm7LUFSgA15ZDtGCKySWQp2V
B+gwUKfc+8R+WjCCAzIwggIaoAMCAQICAgDmMA0GCSqGSIb3DQEBBAUAMDIxCzAJBgNVBAYT
AkNaMQ8wDQYDVQQKEwZDRVNORVQxEjAQBgNVBAMTCUNFU05FVCBDQTAeFw0wMzExMTkxNDM4
NTdaFw0wNDExMTgxNDM4NTdaMEUxDzANBgNVBAoTBkNFU05FVDEcMBoGA1UEChMTU2lsZXNp
YW4gVW5pdmVyc2l0eTEUMBIGA1UEAxMLbHVrYXMga3ViaW4wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAL7lzAuBktAjhaVuPR0S2kwnO/xt1fp9D2GdLpxu2NcqUsuyEC00k3VHEijg
FzcNt7+QviV1y5nqP3nmCqk+eNp20Z3qrYZKGh0YTho/qPESyjFZ4P2NmV7W+SewXZ0IEtxD
/DaOMQo8kww1ho5yzaxVgSRItwefSBEMmFYdqrxpAgMBAAGjgcIwgb8wHQYDVR0OBBYEFNBq
BwZMDvExebpgW4m8MCWtsegvMB8GA1UdIwQYMBaAFPhWGtmaeJVttIiEVTUvqgbz1yBaMDUG
A1UdHwQuMCwwKqAooCaGJGh0dHA6Ly93d3cuY2VzbmV0LmN6L3BraS9jcmwvY2NhLmNybDAO
BgNVHQ8BAf8EBAMCBPAwGwYDVR0RBBQwEoEQa3ViaW5Ab3BmLnNsdS5jejAZBgNVHSAEEjAQ
MA4GDCsGAQQBvnkBAgIBATANBgkqhkiG9w0BAQQFAAOCAQEAuI/sMxZZa78h5+Mzo3IhgSxr
VMl5Hbm2YgLWLHAxQG1NxG0W9bkggMmRWrW8Xotr8VPA4IySqBiVwOlVMdZ5GNcUiSCrrFU6
zfxAXD6dAJuEHGfbVz/dQntptJ9Dz/URteoMleNZjn2gPaLELEax2gaF+2cvbpW521CFJrxx
Mc2LdScRDBCFapWOGNbxqSflLqbT8TsrbmS1V6zUicXf2eUurKA36/psbtFdG03vVaD3+V+R
MgHr6X5k1NUfDfSIpmX7irFEn7tMrxq630NTJUrEm1w4ivK/+f+6+F0ozeaamYS/Gm7LUFSg
A15ZDtGCKySWQp2VB+gwUKfc+8R+WjGCAicwggIjAgEBMDgwMjELMAkGA1UEBhMCQ1oxDzAN
BgNVBAoTBkNFU05FVDESMBAGA1UEAxMJQ0VTTkVUIENBAgIA5jAJBgUrDgMCGgUAoIIBRTAY
BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNDAyMTAxNzMzMDJa
MCMGCSqGSIb3DQEJBDEWBBT+1yO0x/EYOmjD2qX0gOQLm00tFzBHBgkrBgEEAYI3EAQxOjA4
MDIxCzAJBgNVBAYTAkNaMQ8wDQYDVQQKEwZDRVNORVQxEjAQBgNVBAMTCUNFU05FVCBDQQIC
AOYwSQYLKoZIhvcNAQkQAgsxOqA4MDIxCzAJBgNVBAYTAkNaMQ8wDQYDVQQKEwZDRVNORVQx
EjAQBgNVBAMTCUNFU05FVCBDQQICAOYwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAO
BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgw
DQYJKoZIhvcNAQEBBQAEgYBZ3GxewsVcK2JXkKt2UI04s9MarOP0Rqk2GtlVpb5qNgHeWQZi
t0cl0sWP++p/oASmPlTbW+lER01xjHaNqsilxNIEHY8rtUsCD6LliR2NpCCYpWmhMtKxLuv8
IDQJhtrroMcd1ncNsK+r00zWYp17tDGY6IrXeer9yyNRhTKE4AAAAAAAAA==
--------------ms020601020906010802040905--