[OpenAFS] Home directory in AFS

Turbo Fredriksson turbo@bayour.com
20 Apr 2002 11:24:43 +0200 

>>>>> "Charles" == Charles Clancy <security@xauth.net> writes:

    Charles> Pam_mkhomedir works in a non-AFS environment because it
    Charles> runs as root, before the user actually logs in.  It
    Charles> therefore has access to create directories in "/home".
    Charles> However, running as root, this module wouldn't have admin
    Charles> access to AFS such that it could create directories (or
    Charles> volumes!).

And if I add 'root' to the admin group, in the same way 'turbo' is?
Still, it's only DIRECTORIES, not VOLUMES. You basicly said the same
thing three times (luckily, because I finaly understood it the third
time :)

    Charles> Any such arrangement where it did have access
    Charles> to create directories and volumes would have grave
    Charles> security implications.

The idea is: 'pam_mkhomedir' runs as root, which is in the AFS Administrators
group. The directory is created in AFS space.

I see a immediate problem here. The module should be modified to recognize
AFS. After the directory have been created, add the user to the group owning
the directory (?). AND, the module should be able to create VOLUMES instead
of DIRECTORIES (runtime configuration option).

How does this sound?

Either that, or I manually add the user to the PT server when he/she is 'created'.
The account, not the user, even though creating users are fun to :).


    Charles> As far as "one-volume-per-home-directory":
    Charles> 1. You can specify different quotas for different users

This could be done on user basis in non-AFS space, so that was one of
my miss-conception.

    Charles> 2. Each user's backup volume is independent -- so when doing a
    Charles> restore from tape, you don't have to restore all X GB of
    Charles> data, when the user's homedir is only 10 MB.

Quite frankly, I don't want to use AFS 'builtin' backup system (this is one
reason). If it can't do 'incremental restores', then I find it totaly worthless!


I'm using AFBackup, and that have proven to be quite reliable for my use.
Granted, I have not backed up anything AFS related yet, so maybe I can't use
it... But AFBackup have the possibility to restore individual files/directories
(as ANY backup system worth it's salt can).

    Charles> 3. If you want to move a user's volume to a different server
    Charles> (perhaps one on their network, so it's faster), you can
    Charles> do that.

This is a nice feature, granted.

    Charles> 4. If something happens to the volume "all your
    Charles> eggs aren't in 1 basket".  and many more...

An even better reasoning.

    Charles> The only conceivable reason for keeping them all on one
    Charles> volume would be for your PAM module to work -- but it
    Charles> won't work anyway, so there are no conceivable reasons.

With a little coding in the module, maybe these 'problems' can be rectivied (?).

If 'pam_mkhomedir' can be modified to recognize AFS (creating VOLUMES, not DIRECTORIES
and be able to add the user to the PT server), then this should still be a nice
module/feature to use...

-- 
[Hello to all my fans in domestic surveillance] nuclear Treasury North
Korea Peking NSA Soviet Delta Force 747 Waco, Texas killed Rule Psix
toluene nitrate tritium
[See http://www.aclu.org/echelonwatch/index.html for more about this]