[OpenAFS] chroot'd services accessing AFS

Nathan Rawling nrawling@firedrake.net
Fri, 1 Mar 2002 14:00:04 -0500 (EST)

On Thu, 28 Feb 2002, Charles Clancy wrote:

> At one point, I wanted to configure the standard Solaris ftpd to allow
> anonymous FTP access to files in AFS space.  My first attempt was to set
> the ftpd user's home directory to /afs/cell/ftpd.  I properly mknod'd the
> devices in /afs/cell/ftpd/dev, and got the sundry /afs/cell/ftpd/etc files
> in place.  The setup, however, didn't work.
> My question: Could it have worked?  How does the AFS client react to a
> chroot?  If AFS doesn't support FIFOs, how does it react to block and
> character devices?

The client works fine (IMHO), device special files are a different story.

> This *did* work, which leads me to believe the client would still work.
> However, in this case, the device entries were mknod'd onto a standard UFS
> file system.  Also, did one used to be able to specify the volume name to
> use as root.cell in the cacheinfo file?

You can, but I can't remember the option offhand. It might be "-rootvol

> Is it possible to have more than one mountpoint on the client for "/afs",
> to facilitate multiple chroot'd services?

No, I don't think so. You might be able to use a loopback mount (lofs).

The way I've done this in the past is to use  to mount a tmpfs filesystem
to build the device special files on at boot time, i.e.:

(in ftp startup)

mount -o tmpfs swap /afs/<cellname>/<ftproot>/dev
mknod <blah>
mknod <blah>
mknod <blah>
start ftpd, chrooting to /afs/<cellname>/<ftproot>/dev

You can easily do the same for named, or a webserver, just by chrooting to
a different place, but you have to recreate the device files again.