Help with kerberos+nfs V4 on a webserver using suexec and suphp
Robert Wehn
robert.wehn at rz.uni-augsburg.de
Fri Mar 13 06:27:38 EDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Rainer,
we are working on a similar setup with a webserver mounting a filespace
via NFSv4 and therefore started a little intern discussion (file-system
guys with web-guys), how we think the issue could be solved. The
following is what our analysis brought up.
The whole "suexec-thing" is a security mechanism, right? I hope, we got
it correctly: The (human) user creates the script (owned by the user or
its account or more exactly its user-id). The user grants the
web-server user to execute the script on behalf of the user, by placing
it in the correct path, setting the x-bit (and beeing the owner of the
script as somehow implicit precondition). So the permission granting is
not based on POSIX-mode (alone) but on a combination with other factors.
The web-server achieves root permission executing suexec (owned by root,
setuid-bit set). The manpage of suexec says:
"suexec [...] In order to achieve this, it must run as root.".
- From the system side, the security depends on the web-server alone,
which traverses identities:
wwwrun -> root -> user
This "security"-setup seems very much the NFSv3 way (nfs = "no file
security" , i.e. accepting the user-id itself as a valid authentication.
We think the suexec-security-mechanism to be basically incompatible with
an (ACL- and Kerberos-based) NFSv4 way of security. The NFSv4 security
has at least to important parts. nfs(5):
* Transport: cryptographic proof of a user's identity (krb5), integrity
(krb5i), encryption (krb5p).
* Permissions: rich ACLs.
The "cryptographic proof of a user's identity" already breaks the
suexec-approach, right? Sole solution: setting no_root_squash. One would
probably keep the encryption part of the NFSv4 security. A similar
result could be achieved by using kerberos encrypted NFSv3 (again with
no_root_squash). In both cases, the suexec/suphp-mechanism could stay
unchanged.
If NFSv4 with transport-security and NFSv4 ACLs is desired, a different
design is necessary, as the identity traversion creates a problem here:
wwwrun (has KRB5 Ticket) -> root (may have Ticket) -> user (no Ticket)
I am not sure, what one would like to achieve here,
but a few remarks: The ACLs would allow to involve more groups to shape
the desired permissions. Perhaps it would be helpful to give every user
which runs scrips a second account. The web-server could hold keytap
files for those accounts. Regarding NFSv4 ACLs and web-server-access one
should not overlook that EVERYONE@ which is not equivalent to the
"other" known from POSIX mode.
What do you think?
Best regards,
Robert and the CFS Team
Am 10.03.2015 um 15:19 schrieb Rainer Krienke:
> Hello,
>
> I have a web server (SuSE SLES11) where users can offer their own
> web pages they write in $HOME/public_html. The public_html
> directory is NFS mounted from a NFS server. At the moment NFS3 is
> used for this setup and I would like to migrate it to NFS V4 using
> kerberos.
>
> So I set up a kerberos server configured the NFS server for NFSV4.
> This works fine. Next I tried what happens when I try to access the
> webserver like http://mywebserver/~nfsuser where mywebserver
> (running apache 2.2) does a krb5 NFS V4 mount of the users home
> directories using automount. I first got a permission denied. To
> get this working I created a HTTP/mywebserver.mydomain at MYREALM
> principal and exported it to a keytab file on mywebserver. When
> starting up apache on this server I ran kinit for the HTTP
> principal first using a credential cache file in /tmp/krb5cc_nn
> where nn is the userid of the user httpd is running with (wwwrun).
> Now basic access to a simple webpage accessed via NFSV4 also
> works.
>
> However what still does not work is calling cgi scripts that use
> suexec and calling php scripts that use suphp. Both methods change
> the user id of the runing CGI or PHP script to the user id of the
> script beeing read from NFS. Since there is no kerberos ticket for
> any of the users (they did not and cannot authenticate) NFS access
> is probably denied.
>
> Is there any solution to this suexec/suphp problem? Is it possible
> to configure kerberos to grant the webserver access to all the NFS4
> mounted user directories?
>
> What I am looking for is a authentification of the server to
> kerberos and vice versa, but no user authentification for NFS V4
> access to NFS user directories (some thousands).
>
> Any Idea how this could be accomplished?
>
> Thanks a lot in advance Rainer
- --
Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
iQEcBAEBAgAGBQJVAruaAAoJEP/Qkk76z7S5BYAIAMUPm8YnJEO9UXNRRIJEFTrU
iqUDKC6axgBzeGdEgKtW9eiNW4pZamsz9OhzVqcgynN+58QkfN1Ubj7YJhS9RZtT
l1vQzZAhkxZIzn1l0VURe8nMVR5wB9EhUmeEzl4Ll+NNl6pu2GrJYhZqdMHTkCIa
LtvnjiUBUEPZnUfczCDlvUPjPVBVAG0nkAOOHRw//DG+FuEciNe9jeCtbELu5vqv
B7ej4ecljJV4R1QNBInjMOI43F6HKZP/Qfrp1cC6nywthGIOIjY/BZgbqf3lbXDl
eMoZ1f1vDkAW0pbiTskdRKtauIwf7Ogr4vj5+EE/nga2/xC1LiYGKL/C08mikG8=
=kxDm
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list