[OpenAFS] Solaris 8, dtlogin and ~/.dt/session/lastsession

Charles Clancy security@xauth.net
Fri, 9 Nov 2001 13:27:15 -0600 (CST)


> I set up a Solaris 8 environement so that clients log in using dtlogin
> hich uses pam_afs.so.1. Everything works just fine except when dtlogin
> tries to read the user's ~/.dt/session/lastsession to find out what
> session to start up. It obviously can't read the file since
> system:anyuser doesn't have any rights inside the user's dir. This
> causes it to ask the user which session to start up everytime they log
> on. Anyone has any idea for a workaround without giving system:anyuser
> read access to the user's home (to preserve a certain level of security)?

After 3 years of my users putting up with this annoyance (one faculty
member bothered me at least once a month about it), I finally tracked the
problem to ~/.dt/session/lastsession, as you seem to have done.  The
easiest thing to do is:

fs sa ~/.dt/session system:anyuser rl
fs sa ~/.dt system:anyuser l
fs sa ~ system:anyuser l

dtlogin tries to read the file before authenticating, and can't because it
doesn't have a token.  Setting system:anyuser = rl for that directory
solves this problem.  dtlogin doesn't try to write changes until after you
log in and have a token, so there's no problems recording the prefered
window manager for future logins.

The only "security compromise" is that users can figure out what each
others' default window managers are.  On our systems, we already had home
directories set as system:anyuser = l so apache can get to the
~/public_html directory and sendmail can get to the ~/Public/.forward
file.  Depending on your existing environment, you may decrease overall
security by doing this.

--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy