[OpenAFS] security of virtual web servers on afs
Booker Bense
bbense@gmail.com
Wed, 12 Dec 2012 07:46:41 -0800
--20cf3071c76e6e776c04d0a9b4c8
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On Wed, Dec 12, 2012 at 6:44 AM, Michal =C5=A0vamberg <svamberg@gmail.com> =
wrote:
>
> Is there some reasonable advice, how to separate virtual web
> servers on AFS from each others?
>
>
The only way to accomplish this is to have each subprocess that requires
write access run
with it's own afs token and only allow write access by that token.
This problem has been solved, but it's not simple. I think at a minimum
you'll need a "cgi"
server in addition to your main server. You'll also need to manage keytabs
for each of the
cms servers. Stanford has done this, but it's been so long I've forgotten
the exact details.
http://itservices.stanford.edu/service/cgi/personal
- Booker C. Bense
--20cf3071c76e6e776c04d0a9b4c8
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<br><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Wed, D=
ec 12, 2012 at 6:44 AM, Michal =C5=A0vamberg <span dir=3D"ltr"><<a href=
=3D"mailto:svamberg@gmail.com" target=3D"_blank">svamberg@gmail.com</a>>=
</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin-top:0px;margin-right:0px;=
margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color=
:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
Is there some reasonable advice, how to separate virtual web<br>
servers on AFS from each others?<br>
<br></blockquote><div><br></div><div>The only way to accomplish this is to =
have each subprocess that requires write access run=C2=A0</div><div>with it=
's own afs token and only allow write access by that token.=C2=A0</div>=
<div>
<br></div><div>This problem has been solved, but it's not simple. I thi=
nk at a minimum you'll need a "cgi"=C2=A0</div><div>server in=
addition to your main server. You'll also need to manage keytabs for e=
ach of the=C2=A0</div>
<div>cms servers. Stanford has done this, but it's been so long I'v=
e forgotten the exact details.=C2=A0</div><div><br></div><div><a href=3D"ht=
tp://itservices.stanford.edu/service/cgi/personal">http://itservices.stanfo=
rd.edu/service/cgi/personal</a><br>
</div><div><br></div><div>- Booker C. Bense</div></div></div>
--20cf3071c76e6e776c04d0a9b4c8--