[1648] | 1 | \subsection{AFS} |
---|
| 2 | |
---|
| 3 | \begin{frame} |
---|
| 4 | \frametitle{AFS access controls} |
---|
| 5 | \begin{itemize} |
---|
| 6 | \item AFS enforces server side access controls. |
---|
| 7 | \item On Athena systems: user's password $\to$ Kerberos tickets |
---|
| 8 | $\to$ AFS tokens, which authenticate the client to the AFS server. |
---|
| 9 | \item On scripts, we don't have the user's password or tickets. |
---|
| 10 | \item User's scripts are not publicly readable. |
---|
| 11 | \item Access is controlled through a single {\tt daemon.scripts} AFS |
---|
| 12 | user. |
---|
| 13 | \end{itemize} |
---|
| 14 | \end{frame} |
---|
| 15 | |
---|
| 16 | \begin{frame} |
---|
| 17 | \frametitle{Isolating users on scripts} |
---|
| 18 | \begin{itemize} |
---|
| 19 | \item If all users share {\tt daemon.scripts} AFS tokens, how are |
---|
| 20 | they prevented from accessing each other's {\tt web\_scripts}? |
---|
| 21 | \item On scripts, we enforce additional restrictions in the AFS |
---|
| 22 | kernel module. |
---|
| 23 | \begin{itemize} |
---|
| 24 | \item \texttt{afsAccessOK()} in |
---|
| 25 | \texttt{openafs/src/afs/VNOPS/afs\_vnop\_access.c} |
---|
| 26 | \end{itemize} |
---|
| 27 | \end{itemize} |
---|
| 28 | \end{frame} |
---|
| 29 | |
---|
| 30 | \begin{frame}[fragile] |
---|
| 31 | \only<1>{You can only use {\tt daemon.scripts} credentials to access |
---|
| 32 | files in a volume with volume ID equal to your UID,}% |
---|
| 33 | \only<2>{or the file is {\tt system:anyuser} readable |
---|
| 34 | anyway,\vspace{\baselineskip}}% |
---|
| 35 | \only<3>{or the {\tt apache} or {\tt postfix} users are doing a {\tt |
---|
| 36 | stat()},\vspace{\baselineskip}}% |
---|
| 37 | \only<4>{or the {\tt apache} user is trying to read a file with mode |
---|
| 38 | {\tt 777},\vspace{\baselineskip}}% |
---|
| 39 | \only<5>{or the {\tt root} or {\tt signup} users are accessing file |
---|
| 40 | with the special {\tt D} or {\tt E} bits.}% |
---|
| 41 | |
---|
| 42 | \begin{footnotesize} |
---|
| 43 | \begin{semiverbatim} |
---|
| 44 | int |
---|
| 45 | afs_AccessOK(struct vcache *avc, afs_int32 arights, |
---|
| 46 | struct vrequest *areq, afs_int32 check_mode_bits) |
---|
| 47 | \{ |
---|
| 48 | \ldots |
---|
| 49 | + if (\alert<1>{!(areq->realuid == avc->fid.Fid.Volume)} && |
---|
| 50 | + \alert<2>{!((avc->anyAccess | arights) == avc->anyAccess)} && |
---|
| 51 | + \alert<3>{!(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&} |
---|
| 52 | + \alert<3>{!(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID)} && |
---|
| 53 | + \alert<4>{!(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&} |
---|
| 54 | + \alert<4>{ avc->m.Mode == 0100777)} && |
---|
| 55 | + \alert<5>{!(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) &&} |
---|
| 56 | + \alert<5>{ areq->realuid == 0) &&} |
---|
| 57 | + \alert<5>{!(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) &&} |
---|
| 58 | + \alert<5>{ (areq->realuid == 0 || areq->realuid == SIGNUP_UID))}) \{ |
---|
| 59 | + return 0; |
---|
| 60 | + \} |
---|
| 61 | \ldots |
---|
| 62 | \end{semiverbatim} |
---|
| 63 | \end{footnotesize} |
---|
| 64 | \end{frame} |
---|
| 65 | |
---|