WWW on DFS space?

WWW on DFS space?

Post by Hans Hedlu » Fri, 31 Jan 1997 04:00:00



Hi.

Being quite new to DCE/DFS and setting up a WWW server in our cell,
I have encountered a neat problem.

I want to be able to run CGI programs as the user owning the program.
This is all fine, except for the fact that the server doesn't have the
users DCE-credentials and therefor can't write to any files on the users
DFS-partition unless the user modifies the ACL to allow anyone to write to
some file/path.

Does anyone have a solution to this that you can share with me?

--
Hans Hedlund                    Dep. of Computing Science

Tel +46 70 6261072              +46 90 167928

 
 
 

WWW on DFS space?

Post by Larry Doolitt » Fri, 31 Jan 1997 04:00:00


: I want to be able to run CGI programs as the user owning the program.
: [irrelevant DFS details omitted]
: Does anyone have a solution to this that you can share with me?

Make the program (or a gateway to it) suid and owned by that user.



 
 
 

WWW on DFS space?

Post by Simon Tarde » Sat, 01 Feb 1997 04:00:00


: Hi.

: Being quite new to DCE/DFS and setting up a WWW server in our cell,
: I have encountered a neat problem.

: I want to be able to run CGI programs as the user owning the program.
: This is all fine, except for the fact that the server doesn't have the
: users DCE-credentials and therefor can't write to any files on the users
: DFS-partition unless the user modifies the ACL to allow anyone to write to
: some file/path.

: Does anyone have a solution to this that you can share with me?

Each host is authenticated as a separate principal (typically
hosts/hostname/self). Try either adding that principal to group which
you give rights to modify the files in question, or modify the ACL to
include write permissions for it.

I didn't try it, but I guess it would work.

Regards,

Simon

--

 
 
 

WWW on DFS space?

Post by Harold Lockhar » Sat, 01 Feb 1997 04:00:00



> Hi.

> Being quite new to DCE/DFS and setting up a WWW server in our cell,
> I have encountered a neat problem.

> I want to be able to run CGI programs as the user owning the program.
> This is all fine, except for the fact that the server doesn't have the
> users DCE-credentials and therefor can't write to any files on the users
> DFS-partition unless the user modifies the ACL to allow anyone to write to
> some file/path.

> Does anyone have a solution to this that you can share with me?

The architecturally correct way to do this is to use delegation.
(Client creates credentials allowing delegation, server does
sec_login_become_delegate(), DFS evaluates delegated credentials.)
Unfortuately, DFS does not currently support this. (Somebody correct me
it I am wrong.)

Therefore, you must create a process running under a local identity that
corresponds to the client's DCE identity.

The basic idea is to do an inquiry on the binding handle to obtain the
principal's identity and use that to get the account data from the
registry.

Unfortunately the API does not make this very convenient to do.  (It's
easy on the client, where they anticipated the need for integrated
login.)  Also the addition of delegation made parsing the credentials
more complex.  I don't have time to investigate all of the details.  A
cursory investigation of the documentation and the .h files reveals that
1) many details are not in the documentation and 2) there are errors in
the documentation.  

Here is the basic idea.  You will have to study the .h files and perhaps
do some experimentation to get it to work.

do rpc_binding_inq_auth_caller() to get a handle to the credentials.

Use the sec_cred_* API to get info on the principal.  I think you can
use sec_cred_get_client_princ_name() for this, but I am not sure.

call sec_rgy_site_open() and sec_rgy_acct_lookup() to get the info
needed to create the UNIX process.

You will have to dig around in the structures of the various input and
output arguments. Also pay attention to memory allocation of the various
arguments or you may either get core leaks or data that spontaneously
disappears.

***************************** Very Important
***************************************
When coding the privileged program that does logins, be extremely
careful.  Most UNIX security problems have come from programs of this
type. It would be a good idea to isolate this code in a separate process
that is root and run the main server under some other identity.
************************************************************************************

Has anybody out there done this?

Hal
=================================================================
Harold W. Lockhart Jr.            Platinum Solutions Inc.
Chief Technical Architect         8 New England Executive Park

Voice: (617)273-6406              Fax: (617)229-2969
=================================================================

 
 
 

WWW on DFS space?

Post by Heinz Johne » Sun, 02 Feb 1997 04:00:00



> Hi.

> Being quite new to DCE/DFS and setting up a WWW server in our cell,
> I have encountered a neat problem.

> I want to be able to run CGI programs as the user owning the program.
> This is all fine, except for the fact that the server doesn't have the
> users DCE-credentials and therefor can't write to any files on the users
> DFS-partition unless the user modifies the ACL to allow anyone to write to
> some file/path.

> Does anyone have a solution to this that you can share with me?

> --
> Hans Hedlund                    Dep. of Computing Science

> Tel +46 70 6261072              +46 90 167928

Sorry, this newsgroup might not be the right place to put an ad, but I
just want to mention that there is (or was) some info on IBM's DCE Web
pages saying IBM will bring out a product that does exactly what you
want. It is supposed to be a Web server add-on that takes a user's id
and password and does a DCE login on the server side, having all the
benefits of DFS file level security. It's said the product will also
include tools for user administration and kind of auditing. Standard
Web browsers (and servers) can be used.

Heinz

 
 
 

1. Out of disk space though df/du show space available

$ uname
SunOS beeba 5.6 Generic_105181-23 sun4u sparc SUNW,Ultra-2
$ whomi
root
$ df -k /dev/dsk/c0t1d0s0
Filesystem            kbytes    used   avail capacity  Mounted on
/dev/dsk/c0t1d0s0    2053420 1850245  203175    91%    /mnt
$ cd /mnt
$ dd if=/dev/zero of=foo
write: No space left on device
128705+0 records in
128705+0 records out
$ df -k /dev/dsk/c0t1d0s0
Filesystem            kbytes    used   avail capacity  Mounted on
/dev/dsk/c0t1d0s0    2053420 1914637  138783    94%    /mnt
$ du -ks /mnt
1914637 /mnt

Why isn't /mnt at 100%?

--
albert chin (china at thewrittenword dot com)

2. Linux swapfile

3. wrong free disk space if I use df-command

4. kdm

5. 3.2 V4.2 "df-v" displays incorrect free space

6. WUFTD trojan info

7. Cannot see all of my space using df -k

8. Firewall & Sparc

9. Ultrix df doesn't report the correct filesystem space

10. df returns an error if mount point has space

11. different free space result by "ls -a" and "df -k"

12. df reports no space left

13. df seems to report incorrect space