[OpenAFS] Home directory in AFS

Derek Atkins warlord@MIT.EDU
20 Apr 2002 10:46:27 -0400


Turbo Fredriksson <turbo@bayour.com> writes:

> >>>>> "Charles" == Charles Clancy <security@xauth.net> writes:
>     Charles> Any such arrangement where it did have access
>     Charles> to create directories and volumes would have grave
>     Charles> security implications.
> 
> The idea is: 'pam_mkhomedir' runs as root, which is in the AFS Administrators
> group. The directory is created in AFS space.
> 
> I see a immediate problem here. The module should be modified to recognize
> AFS. After the directory have been created, add the user to the group owning
> the directory (?). AND, the module should be able to create VOLUMES instead
> of DIRECTORIES (runtime configuration option).
> 
> How does this sound?

Just running as root is insufficient; it has to run with administrator
_TOKENS_ which means your client host needs to be able to obtain
tokens for system:administrator.  Basically, you'd need to change
pam_mkhomedir such that it:
        a) obtained system:administrator tokens
        b) created the volume, mountpoint, and released the parent
        c) set the new volume quota and acl
        d) ran 'fs checkb' to update the local parent volume
        e) dropped the tokens so your user doesn't get admin privs.

This is a LOT of work.  Considering you already have to create the
user accounts anyways, why not do this at the same time?  It's a
simple perl scripts which _YOU_ can run with _YOUR_ admin tokens!

> Either that, or I manually add the user to the PT server when he/she
> is 'created'.  The account, not the user, even though creating users
> are fun to :).

This is the MUCH better way of doing it.

> I'm using AFBackup, and that have proven to be quite reliable for my
> use.  Granted, I have not backed up anything AFS related yet, so
> maybe I can't use it... But AFBackup have the possibility to restore
> individual files/directories (as ANY backup system worth it's salt
> can).

If you don't use an AFS-aware backup system then you will lose certain
AFS-specific information (in particular directory ACL information).

The AFS backup system works on whole volumes.  It can still perform
incremental backups, but the restore process restores a complete
volume.  This is yet another reason to "limit" the size of volumes.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available