Morris Strongson <[EMAIL PROTECTED]> writes:
> (Environment: AIX AFS servers, Solaris and Linux Clients.)
> Several of our users have expressed interest in having their home
> directories point to their AFS areas.
We've been doing this for years.
> What we are afraid of is the fact that they would be world-readable and
> that sensitive files would be visible and dangerous.
Hm. Why would you have to make their home directories world-readable; for
.klogin files and the like?
The approach that we take is to make the top level of their home directory
world-listable but not world-readable (system:anyuser l) and then create a
subdirectory called public that's system:anyuser rl. We then put files
that have to be world-readable (like project and plan) into public and put
symlinks at the top level. This works fine.
We also create, at the time of account creation, a Mail directory and a
private directory and set them system:anyuser none.
That's the simpler approach; for people who understand AFS and can deal
with the complexities, I recommend what I call a "shadow home directory";
make the top level of your account world-readable and put the
world-readable config files there, create a subdirectory called home or
something similar and set it system:anyuser none, and at the top level use
a .cshrc or .profile similar to:
if ($?prompt) then
setenv HOME /afs/ir/users/r/r/rra/home
setenv MAIL $HOME/Mail/incoming
set home = $HOME
cd $home
source .cshrc
else
umask 022
set noclobber
set rmstar
limit coredumpsize 0
endif
The only tricky part is dealing with .Xauthority files; if you can start X
after logging on to the console (such as on Solaris), then .Xauthority
gets created in the right place. Otherwise, you sometimes have to hack
xdm so that it will follow symlinks correctly or otherwise put the
.Xauthority somewhere other than the world-readable top level of your
account.
> There are really two parts to this question:
> 1. If a user's home directory is /afs/xxx/users/name, can
> we create /afs/xxx/users/name/dir0 with more limited
> access than /afs/xxx/users/name?
Yes.
> If so, can we create
> /afs/xxx/users/name/dir0/dir1 with more open access than
> /afs/xxx/users/name/dir0? The volume mount point would be
> /afs/xxx/users/name.
Yes, except that if you want someone to be able to read dir1, they have to
have list permissions on dir0. They don't have to have read permissions,
though.
> 2. Is there a better way to do this?
See above.
If you'd like to see the implementation of this, you can poke around my
home directory at /afs/ir.stanford.edu/users/r/r/rra.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
