[OpenAFS] (webserver security) AFS and Apache Virtual Directory

Tim Spriggs tims@lpl.arizona.edu
Thu, 24 Nov 2005 04:46:49 -0700 (MST)


On Wed, 23 Nov 2005, Russ Allbery wrote:

> Tim Spriggs <tims@lpl.arizona.edu> writes:
>
> > Of course, this doesn't completely solve the problem, right? As long as
> > the webserver can see it and other people can run stuff as the webserver
> > (like a quick perl/cgi script)
>
> Right, that's why you don't allow the second one, or if you do, you run
> those programs with a different set of credentials than the server using a
> hacked suexec.
>

Not allowing the second one is silly in our case, we have a lot of content
in user home directories.

So you are running everything in suexec as a secondary user? This
mechanism doesn't have any problems with afs/kerberos credentials being
passed on or is that what is hacked about it? Also, does this incur
performance problems? We have been slashdotted a few times and we do our
best to keep the server slashdott'able (if that's even a word...)

Personally, I've never liked the idea of enabling suexec in apache, but
then that might be my own ignorance of the codebase.

Maybe an apache/afs document can be made. I might be able to implement the
beginnings of such a beast or even modify an existing document to bring it
up to speed.

Thanks,
-Tim