Hi Matt, Thank you for the response.
I believe we found something workable by setting 1777 permissions (rwxrwxrwt) on the CASCookiePath. This way, no identity can read/write/remove a cookie created by another identity, but any identity can create and read its own cookies. The downside is that a new cookie (and CAS ticket I believe) are issued for the same user per identity (site). In principle, I believe this offers the same security as having the single (webserver) identity own all cookies in CASCookiePath. Let me know your thoughts though. Thank you again, -Neil From: Matt Smith [mailto:[email protected]] Sent: Thursday, February 5, 2015 8:52 AM To: [email protected] Subject: Re: [cas-user] Apache mod_auth_cas with mpm_itk or mod_ruid2? Neil, I don't think there is any real experience using mod_auth_cas with either itk or ruid2. Any suggestions on better model for file-based session state storage when using itk? -Matt On Tue, Feb 3, 2015 at 2:10 PM, Neil Sabol <[email protected]<mailto:[email protected]>> wrote: Good day CAS users, I hope you are all well. Quick question – are any of you successfully and securely using mod_auth_cas for Apache with mpm_itk or mod_ruid2? I’m thinking this may be a bad idea and is sparsely documented for that reason… Mod_auth_cas creates cookies with the user/group identity dictated by mpm_itk (instead of the web server’s identity) – thus, if CASCookiePath is only writeable by the webserver’s identity, mod_auth_cas fails: [error] MOD_AUTH_CAS: Could not create cache metadata file 'XXX/XXX/.metadata': Permission denied [error] [client XXX.XXX.XXX.XXX] MOD_AUTH_CAS: Cookie file 'XXX/XXX/cookie' could not be created: Permission denied I’ve got it working but it required making the CASCookiePath world read/writable which is bad. I appreciate any guidance or lessons learned that you can offer. Thank you in advance, -Neil -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- [email protected]<mailto:[email protected]> PGP: E2144AD8 -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
