-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Rainer,
we are working on a similar setup with a webserver mounting a filespace via NFSv4 and therefore started a little intern discussion (file-system guys with web-guys), how we think the issue could be solved. The following is what our analysis brought up. The whole "suexec-thing" is a security mechanism, right? I hope, we got it correctly: The (human) user creates the script (owned by the user or its account or more exactly its user-id). The user grants the web-server user to execute the script on behalf of the user, by placing it in the correct path, setting the x-bit (and beeing the owner of the script as somehow implicit precondition). So the permission granting is not based on POSIX-mode (alone) but on a combination with other factors. The web-server achieves root permission executing suexec (owned by root, setuid-bit set). The manpage of suexec says: "suexec [...] In order to achieve this, it must run as root.". - From the system side, the security depends on the web-server alone, which traverses identities: wwwrun -> root -> user This "security"-setup seems very much the NFSv3 way (nfs = "no file security" , i.e. accepting the user-id itself as a valid authentication. We think the suexec-security-mechanism to be basically incompatible with an (ACL- and Kerberos-based) NFSv4 way of security. The NFSv4 security has at least to important parts. nfs(5): * Transport: cryptographic proof of a user's identity (krb5), integrity (krb5i), encryption (krb5p). * Permissions: rich ACLs. The "cryptographic proof of a user's identity" already breaks the suexec-approach, right? Sole solution: setting no_root_squash. One would probably keep the encryption part of the NFSv4 security. A similar result could be achieved by using kerberos encrypted NFSv3 (again with no_root_squash). In both cases, the suexec/suphp-mechanism could stay unchanged. If NFSv4 with transport-security and NFSv4 ACLs is desired, a different design is necessary, as the identity traversion creates a problem here: wwwrun (has KRB5 Ticket) -> root (may have Ticket) -> user (no Ticket) I am not sure, what one would like to achieve here, but a few remarks: The ACLs would allow to involve more groups to shape the desired permissions. Perhaps it would be helpful to give every user which runs scrips a second account. The web-server could hold keytap files for those accounts. Regarding NFSv4 ACLs and web-server-access one should not overlook that EVERYONE@ which is not equivalent to the "other" known from POSIX mode. What do you think? Best regards, Robert and the CFS Team Am 10.03.2015 um 15:19 schrieb Rainer Krienke: > Hello, > > I have a web server (SuSE SLES11) where users can offer their own > web pages they write in $HOME/public_html. The public_html > directory is NFS mounted from a NFS server. At the moment NFS3 is > used for this setup and I would like to migrate it to NFS V4 using > kerberos. > > So I set up a kerberos server configured the NFS server for NFSV4. > This works fine. Next I tried what happens when I try to access the > webserver like http://mywebserver/~nfsuser where mywebserver > (running apache 2.2) does a krb5 NFS V4 mount of the users home > directories using automount. I first got a permission denied. To > get this working I created a HTTP/mywebserver.mydomain@MYREALM > principal and exported it to a keytab file on mywebserver. When > starting up apache on this server I ran kinit for the HTTP > principal first using a credential cache file in /tmp/krb5cc_nn > where nn is the userid of the user httpd is running with (wwwrun). > Now basic access to a simple webpage accessed via NFSV4 also > works. > > However what still does not work is calling cgi scripts that use > suexec and calling php scripts that use suphp. Both methods change > the user id of the runing CGI or PHP script to the user id of the > script beeing read from NFS. Since there is no kerberos ticket for > any of the users (they did not and cannot authenticate) NFS access > is probably denied. > > Is there any solution to this suexec/suphp problem? Is it possible > to configure kerberos to grant the webserver access to all the NFS4 > mounted user directories? > > What I am looking for is a authentification of the server to > kerberos and vice versa, but no user authentification for NFS V4 > access to NFS user directories (some thousands). > > Any Idea how this could be accomplished? > > Thanks a lot in advance Rainer - -- Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047 86135 Augsburg .................................. Fax. (0821) 598-2028 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) iQEcBAEBAgAGBQJVAruaAAoJEP/Qkk76z7S5BYAIAMUPm8YnJEO9UXNRRIJEFTrU iqUDKC6axgBzeGdEgKtW9eiNW4pZamsz9OhzVqcgynN+58QkfN1Ubj7YJhS9RZtT l1vQzZAhkxZIzn1l0VURe8nMVR5wB9EhUmeEzl4Ll+NNl6pu2GrJYhZqdMHTkCIa LtvnjiUBUEPZnUfczCDlvUPjPVBVAG0nkAOOHRw//DG+FuEciNe9jeCtbELu5vqv B7ej4ecljJV4R1QNBInjMOI43F6HKZP/Qfrp1cC6nywthGIOIjY/BZgbqf3lbXDl eMoZ1f1vDkAW0pbiTskdRKtauIwf7Ogr4vj5+EE/nga2/xC1LiYGKL/C08mikG8= =kxDm -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
