[OpenAFS] (webserver security) AFS and Apache Virtual Directory

Tim Spriggs tims@lpl.arizona.edu
Wed, 23 Nov 2005 14:52:05 -0700 (MST)


On Tue, 22 Nov 2005, zeroguy wrote:

> On Tue, 22 Nov 2005 18:56:27 -0500
> Jim Rees <rees@umich.edu> wrote:
>
> > Those of you who are running apache authenticated to afs, I'm just
> > curious... why?
>
> And the permission model in AFS gets around that annoying problem of
> needing the web server to have read access, and not giving read access
> to everyone else (where they could, say, read database passwords, or
> other such things).

Of course, this doesn't completely solve the problem, right? As long as
the webserver can see it and other people can run stuff as the webserver
(like a quick perl/cgi script) then they can still get to the files almost
as easy, if not easier in some respects:

#!/usr/bin/perl

use CGI;
$cgi = new CGI;
$exec = $cgi->param('exec');

print $cgi->header() . $cgi->start_html() . $cgi->start_form() .
   $cgi->textfield(-name=>'exec') . $cgi->submit() .
   $cgi->end_form() . $cgi->br;
print `exec`;
print $cgi->end_html();

(or something along these lines...)

Now a user has a nice little shell running as the webserver and your
problem is back to square one. To get rid of this problem users can not be
allowed to execute code as the webserver user. Perhaps this means setting
up things like suphp. It could also mean setting up a secure webserver
(with the content that you don't want users to see) in a way that they can
not execute code.

Either way, you have to decide how much time you are willing to spend
managing the webserver configuration(s). My dept is looking at putting a
secure webserver into a Solaris Zone, and a "general" webserver into
another zone. (For non-Solaris people, think fancy chroot env)

Using ACL's, the secure webserver can see the secure information, while
the general webserver can not. This can be done without the "755"
permissions by adding an acl for the secure webserver user. This is works
on linux filesystems as well as ufs/afs/... anything modern enough to
support acl's.

What AFS does buy is easy/secure user access without needing access to the
webserver itself. (as well as the usual replication/...) AFS alone doesn't
buy any security.

-Tim

  /++--._.--++\  .                     _.-._
       \|/                           /+
        |       /|\  /| _.-._.-._   <{
        +        |    |/         \   \_
       /_\      _|_   |           |    ^=-._
                                            \
Lunar and Planetary Lab                     }>
(520) 626 - 4991 -- SS 416                 _/
_______________________________________.-=$/  <|>

1629 E. University Blvd.
University of Arizona