AFS authenticated daemons

If your web server serves out of an AFS space that is accessible to local users, you probably want to limit its access to files that you have already audited for copyright issues. When a user requests a page, Apache will respect the UNIX mode bits for “other” when determining whether or not an unauthenticated web user should be able to access the page. Intuitively, a new admin may think that the system:anyuser and system:authuser ACLs would control access both by off-site AFS users and by off-site web users. However, with AFS, Apache is running with tokens (perhaps for a httpd service principal), and so it will pass any system:authuser ACL!

The long and the short of it is that you need a different policy for controlling access from AFS-authenticated daemons than you do for controlling access by AFS clients. This means that you cannot simply use system:authuser to control access to material that may be private to your site, because authenticated daemons will happily serve up that information to external users.

I recommend creating a separate AFS group ‘authuser’ to control access to material that MAY be private, that authenticated users SHOULD be able to access, and that non-authenticated users or service daemon clients SHOULD NOT be able to access. Add all AFS accounts that represent a user to this group.

Then you have the problem of users starting daemons and serving authuser files to the world using their tokens. The only solution I see here so far is to disallow listening on network ports on user accounts, and create a separate user account for daemons which chroots the user to his home directory when he logs in. User applications not being able to listen on network ports may impact specific client applications such as FTP and IRC.

Leave a Reply