[OpenAFS] (webserver security) AFS and Apache Virtual Directory

Russ Allbery rra@stanford.edu
Thu, 24 Nov 2005 08:54:38 -0800

Tim Spriggs <tims@lpl.arizona.edu> writes:
> On Wed, 23 Nov 2005, Russ Allbery wrote:
>> Tim Spriggs <tims@lpl.arizona.edu> writes:

>>> Of course, this doesn't completely solve the problem, right? As long as
>>> the webserver can see it and other people can run stuff as the webserver
>>> (like a quick perl/cgi script)

>> Right, that's why you don't allow the second one, or if you do, you run
>> those programs with a different set of credentials than the server
>> using a hacked suexec.

> Not allowing the second one is silly in our case, we have a lot of
> content in user home directories.

It depends on what you're serving; you can do quite a lot with static HTML
generated via other mechanisms, or there's also things like PHP safe mode
(if you can trust it).  But yes, it doesn't work for a lot of things.

> So you are running everything in suexec as a secondary user?

For untrusted users, yes.

> This mechanism doesn't have any problems with afs/kerberos credentials
> being passed on or is that what is hacked about it?

That's the part that's hacked about it.

> Also, does this incur performance problems?

It's certainly slower, and it means that you can't use mod_perl, mod_php,
etc. and have to run an external interpretor.  That's definitely not
ideal, and it would be nice to have a better solution to that.  But
maintaining a separate token for a particular Apache thread is very hard.

People doing things that require higher performance have to convince us
that they know what they're doing and won't cause security vulnerabilities
and can be trusted with the more general server credentials.  (Which are
still not particularly strong, to mention.)

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>