[OpenAFS] PHP and AFS

Ryan Underwood nemesis-lists@icequake.net
Wed, 7 Sep 2005 12:55:21 -0500

Does anyone here use PHP with an AFS-authenticated web server *without*
CGIWrap, or requiring user authentication to get a PAG for that user in
the web server?

In this case, the web server has ACLs to read anyone's web directories,
and ACLs to write where the user has permitted it to.  Since PHP is
running as part of the web server, it shares the tokens of the web

PHP's 'safe mode' is intended to prevent the interpreter running on a
shared web server like this from reading or writing files or directories
that belong to someone else.  In other words, just because the web
server can read or write to a particular place doesn't mean we want to
permit any user who runs a PHP program on the web server to do that.  To
accomplish this, a UID/GID comparison is performed between the PHP
program and any files or directories that it reads or writes, to ensure
that the user who owns the script is also the user who owns the data

In AFS, the UID/GID check that PHP 'safe mode' performs is worthless,
because the UID and GID are essentially meaningless.  (It also causes
unnecessary problems where the UID and GID are not in sync because files
were created from different machines or moved around, etc.)

As stupid as this sounds, I'd like to implement this 'safe mode' check
in an AFS-compatible manner.  I'm not sure exactly how to do this yet.
My first inclination is to walk the ACLs of both files and ensure that
both files have at least one matching entry with write privileges.  Then
I would have a filter list to filter out admin entries so they would not
generate false matches.

My question is whether this can be done through some generic operating
system mechanism, or if this requires -lopenafs for the pioctl support.
I guess it could be done by shelling out to fs, but that's ugly.

Ryan Underwood, <nemesis@icequake.net>