[OpenAFS] cgi and afs?
Fri, 8 Jun 2007 11:00:10 -0400
On Jun 8, 2007, at 09:33, Todd M. Lewis wrote:
> Zach wrote:
>> I was talking to our sys admin. about allowing us users to run cgi
>> programs from our afs accounts (served from $HOME/www which has
>> "system:anyuser rl") and asked if the web server could do this and
>> told first that the CMU AFS team was working on a way to make CGI
>> principles for andrew (AFS realm) users so we can support them on
>> contrib (AFS realm) and then later told they ran into a problem with
>> permissions but had to work on the code a bit more. This was 8 months
>> ago and still waiting for this to be finished. [...]
> You might want to look at https://lists.openafs.org/pipermail/
> openafs-info/2002-May/004471.html to see how we run our GCI scripts
> out of AFS. It lacks some of the elegance of http://www.umbc.edu/
> oit/iss/syscore/wiki/Mod_waklog, but it has served us very well.
> Whereas Mod_waklog uses a real Apache module, we use a ScriptAlias
> to an external program to fix up the runtime environment for user's
What we do for our "userpages" cgis, is we run apache under one
kerberos principal (which is tied to a UID, not a PAG), and run all
of our CGIs & PHPs under another via a slightly modified suexec which
jumps to a UID that has another set of tokens tied to it.
People serving out static content can't hurt one another.
All of the people serving dynamic content can step on each other, or
at least the directories that they've made writable by the cgi
As the environment exists primarily for instructional purposes and
not production content service, this has generally worked out... The
mod_waklog stuff would be nice to use there, but there'd be the
management of a WHOLE lot of krb principals involved...