Adam Chlipala <[EMAIL PROTECTED]> wrote: > Christopher D. Clausen wrote: >> Well, apache is already running as a PTS user to write log files and >> such, if people wish to restrict their backend sites more than >> system:anyuser they certainly can. (When we say world readable with >> AFS, we really mean the entire world.) >> > Won't suexec'ing to a different UNIX user cause the AFS privileges > associated with www-data to be lost?
I've checked on this and heard conflicting reports of both loss and retaining of tokens. Since both the www-data (no PAG) and the root user (with a PAG) have tokens, its likely that the root user's tokens will be present across setuid changes. But this of course remains to be tested. If its a serious issue, we might be able to get away with creating an IP ACL on the affected directories. IP ACLs aren't reliable, but that uncertainty and trouble in setup might be worth the hassle for some who doesn't want system:anyuser access. > I'm sure we'll have people who are only willing to use MySQL, > including people who want this because popular scripts use MySQL by > default without extra custom configuration. What do you think about > my earlier suggestion that such people run their own k5start's? > Maybe I misunderstand how this ticketing works and that wouldn't help. They would need to run their own daemon. For things like PHP, this would mean their own instance of apache. This is certainly possible, but I'm not sure how many seperate apache instances can be supported until things break. Or how to properly allocate network ports (even on localhost for use with proxy_pass.) And proxy_pass breaks certain things, like the mod_auth modules. I wanted to use mod_auth_kerb myself for true SSO with a web app. In my opinion, a lot of people could simply use a small 5MB or so of local disk to have a "db_include.php" file with the db connectivity info chowned to their uid (perhaps domtool can set this up? ?) Having apache/suphp/whatever setuid would allow the script to be read. For things like Wordpress, this should be fine as the PHP files are already available to anyone. The only real things worth protecting would be the db password (and maybe db name and user account.) In theory, if they are posting attachments to the blog, they want others to see them anyway and securing the uploads isn't a serious problem. (Although allowing anonymous write access to AFS for apache certainly would be. The IP ACL might have to be used for uploads as well. Someone who knows what they are doing might be able to use another user's quota for such things.) Other than those caveats, I think its a good plan and we should encourage users to use Postgres whenever possible. <<CDC _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
