1 | \subsection{AFS} |
---|
2 | |
---|
3 | \begin{frame} |
---|
4 | \frametitle{AFS access controls} |
---|
5 | \begin{itemize} |
---|
6 | \item AFS enforces server side access controls. |
---|
7 | \item On Athena systems: user's password $\to$ Kerberos tickets |
---|
8 | $\to$ AFS tokens, which authenticate the client to the AFS server. |
---|
9 | \item On scripts, we don't have the user's password or tickets. |
---|
10 | \item User's scripts are not publicly readable. |
---|
11 | \item Access is controlled through a single {\tt daemon.scripts} AFS |
---|
12 | user. |
---|
13 | \end{itemize} |
---|
14 | \end{frame} |
---|
15 | |
---|
16 | \begin{frame} |
---|
17 | \frametitle{Isolating users on scripts} |
---|
18 | \begin{itemize} |
---|
19 | \item If all users share {\tt daemon.scripts} AFS tokens, how are |
---|
20 | they prevented from accessing each other's {\tt web\_scripts}? |
---|
21 | \item On scripts, we enforce additional restrictions in the AFS |
---|
22 | kernel module. |
---|
23 | \begin{itemize} |
---|
24 | \item \texttt{afsAccessOK()} in |
---|
25 | \texttt{openafs/src/afs/VNOPS/afs\_vnop\_access.c} |
---|
26 | \end{itemize} |
---|
27 | \end{itemize} |
---|
28 | \end{frame} |
---|
29 | |
---|
30 | \begin{frame}[fragile] |
---|
31 | \only<1>{You can only use {\tt daemon.scripts} credentials to access |
---|
32 | files in a volume with volume ID equal to your UID,}% |
---|
33 | \only<2>{or the file is {\tt system:anyuser} readable |
---|
34 | anyway,\vspace{\baselineskip}}% |
---|
35 | \only<3>{or the {\tt apache} or {\tt postfix} users are doing a {\tt |
---|
36 | stat()},\vspace{\baselineskip}}% |
---|
37 | \only<4>{or the {\tt apache} user is trying to read a file with mode |
---|
38 | {\tt 777},\vspace{\baselineskip}}% |
---|
39 | \only<5>{or the {\tt root} or {\tt signup} users are accessing file |
---|
40 | with the special {\tt D} or {\tt E} bits.}% |
---|
41 | |
---|
42 | \begin{footnotesize} |
---|
43 | \begin{semiverbatim} |
---|
44 | int |
---|
45 | afs_AccessOK(struct vcache *avc, afs_int32 arights, |
---|
46 | struct vrequest *areq, afs_int32 check_mode_bits) |
---|
47 | \{ |
---|
48 | \ldots |
---|
49 | + if (\alert<1>{!(areq->realuid == avc->fid.Fid.Volume)} && |
---|
50 | + \alert<2>{!((avc->anyAccess | arights) == avc->anyAccess)} && |
---|
51 | + \alert<3>{!(arights == PRSFS_LOOKUP && areq->realuid == HTTPD_UID) &&} |
---|
52 | + \alert<3>{!(arights == PRSFS_LOOKUP && areq->realuid == POSTFIX_UID)} && |
---|
53 | + \alert<4>{!(arights == PRSFS_READ && areq->realuid == HTTPD_UID &&} |
---|
54 | + \alert<4>{ avc->m.Mode == 0100777)} && |
---|
55 | + \alert<5>{!(PRSFS_USR3 == afs_GetAccessBits(avc, PRSFS_USR3, areq) &&} |
---|
56 | + \alert<5>{ areq->realuid == 0) &&} |
---|
57 | + \alert<5>{!(PRSFS_USR4 == afs_GetAccessBits(avc, PRSFS_USR4, areq) &&} |
---|
58 | + \alert<5>{ (areq->realuid == 0 || areq->realuid == SIGNUP_UID))}) \{ |
---|
59 | + return 0; |
---|
60 | + \} |
---|
61 | \ldots |
---|
62 | \end{semiverbatim} |
---|
63 | \end{footnotesize} |
---|
64 | \end{frame} |
---|
65 | |
---|