Christopher D. Clausen wrote: > I've checked on this and heard conflicting reports of both loss and > retaining of tokens. Since both the www-data (no PAG) and the root user > (with a PAG) have tokens, its likely that the root user's tokens will be > present across setuid changes. But this of course remains to be tested. > If its a serious issue, we might be able to get away with creating an IP > ACL on the affected directories. IP ACLs aren't reliable, but that > uncertainty and trouble in setup might be worth the hassle for some who > doesn't want system:anyuser access. > I just wanted to make sure my position is clear: security is much more important than performance here. Some decisions which make sense in more traditional environments seem to me to be too fraught with peril to even consider. I don't want to break the rule of "users can't run any programs as any other users" just because that might be necessary to avoid costly AFS operations on every CGI access. > In my opinion, a lot of people could simply use a small 5MB or so of > local disk to have a "db_include.php" file with the db connectivity info > chowned to their uid We could just give users actual /home directories on demand, with strict quotas for non-admins on that partition and automated copying to AFS volumes for back-up purposes. I have a feeling we would need to increase the size of the /home partition to make this feasible, and we'd might as well do it now, before this could disrupt production services. Thoughts, anyone?
_______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
