[OpenAFS] chroot'd services accessing AFS
Nathan Rawling
nrawling@firedrake.net
Fri, 1 Mar 2002 14:00:04 -0500 (EST)
On Thu, 28 Feb 2002, Charles Clancy wrote:
> At one point, I wanted to configure the standard Solaris ftpd to allow
> anonymous FTP access to files in AFS space. My first attempt was to set
> the ftpd user's home directory to /afs/cell/ftpd. I properly mknod'd the
> devices in /afs/cell/ftpd/dev, and got the sundry /afs/cell/ftpd/etc files
> in place. The setup, however, didn't work.
>
> My question: Could it have worked? How does the AFS client react to a
> chroot? If AFS doesn't support FIFOs, how does it react to block and
> character devices?
The client works fine (IMHO), device special files are a different story.
> This *did* work, which leads me to believe the client would still work.
> However, in this case, the device entries were mknod'd onto a standard UFS
> file system. Also, did one used to be able to specify the volume name to
> use as root.cell in the cacheinfo file?
You can, but I can't remember the option offhand. It might be "-rootvol
<volume>.
> Is it possible to have more than one mountpoint on the client for "/afs",
> to facilitate multiple chroot'd services?
No, I don't think so. You might be able to use a loopback mount (lofs).
The way I've done this in the past is to use to mount a tmpfs filesystem
to build the device special files on at boot time, i.e.:
(in ftp startup)
mount -o tmpfs swap /afs/<cellname>/<ftproot>/dev
mknod <blah>
mknod <blah>
mknod <blah>
start ftpd, chrooting to /afs/<cellname>/<ftproot>/dev
You can easily do the same for named, or a webserver, just by chrooting to
a different place, but you have to recreate the device files again.
Nathan