[OpenAFS] AFS/UNIX attributes, home directories in AFS

Russ Allbery rra@stanford.edu
Mon, 15 Sep 2003 14:34:37 -0700 

Adam Done <donestudios@gmx.net> writes:

> Can one still have unix home directories in AFS infrastructor with all
> the access rights and all?  This is very important to applications who
> need to create conf files and other important information.

I'm not sure what you're trying to ask.

We put all of our user home directories in AFS, so yes, clearly it's
possible.  However, it does require some careful attention to file
permissions and sometimes requires symlinking files into subdirectories so
that one can set separate file permissions on them, as shown in the
message to which you were responding.

It also requires convincing some programs that like to create special
files in one's home directory to create them somewhere else.

Personally, I've had the best luck with what I call a "shadow" home
directory set up.  I make my home directory world-readable and then create
a subdirectory called home, which is set to be readable only by me.  My
.cshrc in my real home directory looks like this:

    if ($?prompt) then
        (/usr/pubsw/bin/klist | grep afs) >& /dev/null || /etc/leland/aklog
        /usr/afsws/bin/tokens >& /dev/null || /usr/bin/tokens >& /dev/null
        if ($? == 0) then
            if (-f .Xauthority && ! -l .Xauthority) then
                mv -f .Xauthority home/.Xauthority
                ln -s home/.Xauthority .
            endif
            setenv HOME /afs/ir/users/r/r/rra/home
            setenv MAIL $HOME/Mail/incoming
            set home = $HOME
            cd $home
            source .cshrc
        endif
    else
        umask 022
        set noclobber
        set rmstar
        limit coredumpsize 0
    endif

In other words, it makes sure that I have an AFS token (running klog first
if I appear to have tickets but no token), and then if I do have AFS
tokens, it makes sure that I don't have a .Xauthority file in the wrong
place and then resets my home directory to be ~rra/home instead of ~rra.
It then cd's into that directory and runs my "real" .cshrc and proceeds
with normal shell initialization.

(The Xauthority stuff is annoying, and is there just if I *have* to use a
system that uses xdm.  There's still a small race condition if I use such
a system between when the .Xauthority file is created world-readable and
when it gets moved into the appropriate location, if xdm doesn't support
symlinks.  I generally always log on to a console and then start X
explicitly after my home directory has already changed, which solves that
problem.)

Note that this setup can confuse some programs which use getpwnam to
obtain your home directory rather than using HOME, although most of those
seem to have been fixed by now.  (We used to routinely have to patch mail
clients and the like, but most of them now seem to behave properly out of
the box.)

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>