[OpenAFS] suEXEC/FastCGI/OpenAFS question
Aaron Knister
aaronk@umbc.edu
Wed, 23 Nov 2011 15:53:58 -0500
--20cf3079be66a7ecc404b26d1f1c
Content-Type: text/plain; charset=ISO-8859-1
On Wed, Nov 23, 2011 at 3:41 PM, Ken Dreyer <ktdreyer@ktdreyer.com> wrote:
> On Wed, Nov 23, 2011 at 1:16 PM, Aaron Knister <aaronk@umbc.edu> wrote:
> > I've devised another approach, dropping the mpm-itk patches and using
> suEXEC
> > and fastcgi for php instead.
>
> I'm trying to research the same problem, but I haven't come up with a
> working solution yet. I'm using mod_php, and I'd really like to move
> to FastCGI for more safety / flexibility.
>
> > The one piece to the puzzle that I'm missing is having fastcgi
> > obtain AFS tokens. Because the fastcgi processes aren't spawned by the
> httpd
> > worker handling the request waklog isn't able to pass along any
> credentials.
>
> Are you using mod_fcgid ? Looking over
> https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html , I was planning
> to make the FcgidWrapper script run aklog (well, with k5start), and
> use a slightly different FcgidWrapper for each vhost.
>
I've been testing with mod_fcgid. The module itself works well but as far
as I can tell the wrapper script is executed by suexec meaning that the the
uid/gid assigned to each vhost has to be able to read a key tab with its
credentials. This could be achieved by splitting out the key tab on a
per-vhost basis but I'm not keen on the idea of users being able to access
the keytabs containing their site credentials. It seems like that's not
something I'd want to disclose but perhaps it isn't that big of a deal.
What do you think?
>
> I'm really only beginning to look into it, so I'd like to hear about
> setups at other sites. There was a presentation at the European AFS
> conference recently where one of the sites provides isolation by
> running entirely separate Apache daemons... and I guess they use
> mod_proxy to tie them all together? For my site, that would be a bit
> painful for a few reasons, but that does sound like a solution that
> "works".
>
>
That does sound like a headache to configure and manage, but maybe it is a
viable solution.
> - Ken
>
--
Aaron Knister
Systems Administrator
Division of Information Technology
University of Maryland, Baltimore County
aaronk@umbc.edu
--20cf3079be66a7ecc404b26d1f1c
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div class=3D"gmail_quote">On Wed, Nov 23, 2011 at 3:41 PM, Ken Dreyer <spa=
n dir=3D"ltr"><<a href=3D"mailto:ktdreyer@ktdreyer.com">ktdreyer@ktdreye=
r.com</a>></span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"m=
argin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class=3D"im">On Wed, Nov 23, 2011 at 1:16 PM, Aaron Knister <<a hre=
f=3D"mailto:aaronk@umbc.edu">aaronk@umbc.edu</a>> wrote:<br>
> I've devised another approach, dropping the mpm-itk patches and us=
ing suEXEC<br>
> and fastcgi for php instead.<br>
<br>
</div>I'm trying to research the same problem, but I haven't come u=
p with a<br>
working solution yet. I'm using mod_php, and I'd really like to mov=
e<br>
to FastCGI for more safety / flexibility.<br>
<div class=3D"im"><br>
> The one piece to the puzzle that I'm missing is having fastcgi<br>
> obtain AFS tokens. Because the fastcgi processes aren't spawned by=
the httpd<br>
> worker handling the request waklog isn't able to pass along any cr=
edentials.<br>
<br>
</div>Are you using mod_fcgid ? Looking over<br>
<a href=3D"https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html" target=3D=
"_blank">https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html</a> , I was =
planning<br>
to make the FcgidWrapper script run aklog (well, with k5start), and<br>
use a slightly different FcgidWrapper for each vhost.<br></blockquote><div>=
<br></div><div>I've been testing with mod_fcgid. The module itself work=
s well but as far as I can tell the wrapper script is executed by suexec me=
aning that the the uid/gid assigned to each vhost has to be able to read a =
key tab with its credentials. This could be achieved by splitting out the k=
ey tab on a per-vhost basis but I'm not keen on the idea of users being=
able to access the keytabs containing their site credentials. It seems lik=
e that's not something I'd want to disclose but perhaps it isn'=
t that big of a deal. What do you think?</div>
<div>=A0=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8=
ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
I'm really only beginning to look into it, so I'd like to hear abou=
t<br>
setups at other sites. There was a presentation at the European AFS<br>
conference recently where one of the sites provides isolation by<br>
running entirely separate Apache daemons... and I guess they use<br>
mod_proxy to tie them all together? For my site, that would be a bit<br>
painful for a few reasons, but that does sound like a solution that<br>
"works".<br><font class=3D"Apple-style-span" color=3D"#888888"><b=
r></font></blockquote><div><br></div><div>That does sound like a headache t=
o configure and manage, but maybe it is a viable solution.</div><div>=A0</d=
iv>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex;"><font color=3D"#888888">
- Ken<br>
</font></blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>Aaron=
Knister<br>Systems Administrator<br>Division of Information Technology<br>=
University of Maryland, Baltimore County<br><a href=3D"mailto:aaronk@umbc.e=
du" target=3D"_blank">aaronk@umbc.edu</a><br>
--20cf3079be66a7ecc404b26d1f1c--