[OpenAFS] security of virtual web servers on afs

[Russ Allbery]

Booker Bense <bbense@gmail.com> writes:
> On Wed, Dec 12, 2012 at 6:44 AM, Michal =C5=A0vamberg <svamberg@gmail.com=
> wrote:

>> Is there some reasonable advice, how to separate virtual web servers on
>> AFS from each others?

> The only way to accomplish this is to have each subprocess that requires
> write access run with it's own afs token and only allow write access by
> that token.

> This problem has been solved, but it's not simple. I think at a minimum
> you'll need a "cgi" server in addition to your main server.

You can mingle the servers.  You do have to make every virtual web server
run as a separate user, which means you're going to have to use suexec so
far as I know, although you may be able to do something more elaborate
with mod_waklog.  We came up with our solution before mod_waklog existed,
so it's worth taking a long look at it before going down the suexec path.

> You'll also need to manage keytabs for each of the cms servers.

You need a keytab for every separate identity that should be independent
from an AFS perspective.

> Stanford has done this, but it's been so long I've forgotten the exact
> details.

We do two things:

* We use a hacked suexec binary that creates a PAG and uses a keytab to
  obtain Kerberos credentials and AFS tokens.

* We work around a limitation in the Apache suexec support by using a tiny
  Apache module that sets the suexec user to the value of an environment
  variable (set with mod_rewrite).  Without this glue, you have to have an
  Apache configuration that explicitly configures the user, which for our
  particular use case wasn't possible.

The code isn't published publicly so far as I know, but I can send it to
people who are interested.  It's not something into which we've ever put
the effort to make it general software, so you'll probably need to fiddle
with it to get it to work elsewhere.

--=20
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>