Adam Chlipala <[EMAIL PROTECTED]> writes: > Adam Megacz wrote: >> UNIX only does permission checks on open(), whereas AFS does >> permission checks on fsync() and close(). In other words, if you open >> a file, drop your tokens, and then try to write to it the next fsync() >> or the close() will fail. (BTW, there are very good reasons for this >> behavior, involving the possibility of writing your own "renegade" >> implementation of the AFS client).
> In /etc/init.d/apache2 on deleuze now, we have a kstart running to keep I've been talking about mire so far, where we run Apache1.3 and mod_waklog. Mod_waklog and k5start should not be used together (mod_waklog subsumes k5start's functionality). You can give mod_waklog a directive "WaklogDefaultPrincipal" which tells it what tokens to hold while it's parsing the request (ie before it decides which <Location/> block to look in for the user tokens it should grab). But if it tries to write to the log file after grabbing user tokens, that write will fail. I guess we'd have to experiment to be completely certain, but it looks as if by the time Apache decides *which* access log it ought to be writing to, it has already dropped the WaklogDefaultPrincipal tokens and picked up the per-user tokens. Even if it works for some test cases, it sounds pretty sketchy to me... you're opening yourself up to the vagaries of kernel buffer flushing. >> Are you saying that waklog doesn't spawn separate processes to >> handle user CGI execution? CGIs are always executed outside the Apache process (fork() then exec()). But mod_waklog has nothing to do with this. > It is important that CGI scripts run as the owning UNIX users, The normal Apache mechanisms (mod_suexec, etc) are responsible for making sure that setuid() gets called to change the UNIX process userid. Mod_waklog takes care of changing the AFS tokens. Together, they change the two things that matter. - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
